NFT Game Axie Infinity Suffers Hack, Loses $625M Worth Of Crypto

Announcements, Crime, News | March 30, 2022 By:

The biggest hack in crypto may have just occurred.

Ronin Network, part of Axie Infinity, has announced in a blog post yesterday that hackers made off with over $625 million in Ethereum and USDC, noting that an attacker had “used hacked private keys in order to forge fake withdrawals.” The exploitation is the largest of its kind, surpassing the historic $300 million Wormhole protocol exploit in February, and the $130 million BadgerDAO hack in December.

According to Ronin’s team, the attacker got access to Sky Mavis systems and were able to get the signature from the Axie DAO validator by using the gas-free RPC. The team also confirmed that the signature in the malicious withdrawals match up with the five suspected validators.

“We are working directly with various government agencies to ensure the criminals get brought to justice,” said Ronin’s team. “We are in the process of discussing with Axie Infinity / Sky Mavis stakeholders about how to best move forward and ensure no users’ funds are lost. Sky Mavis is here for the long term and will continue to build.”

Commenting on the event, cybersecurity audit firm CertiK said that in crypto you always hear about the importance of Private Key management and how important it is to keep keys safe. Unfortunately, Ronin Network paid the ultimate price and lost $620M in Ethereum due to an attacker gaining access to the private keys.

“In a Post-Mortem, they pointed out that “In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO. This gave the attacker the majority control over the network and the ability to recognize the withdrawal event,” CertiK said. “Through this unfortunate event, we hope to remind users and projects the importance of proper private key management. SkyMavis applied a multisig to avoid the single point of failure, which is a great step in security. Multisig refers to requiring multiple keys to authorize a transaction, rather than a single signature from one key. However, during an event for Axie DAO growth, access was given to the Axie DAO validator access to distribute free transactions back in November 2021. This access was not revoked later and gave the attacker access. It is very important to remember to revoke the allow list or white list access after an event or function is completed.”