Axie Infinity looks like a cross between a Tamagotchi and Pokémon, a “digital pet universe where players battle, raise, and trade fantasy creatures called Axies,” creatures that happen to be NFTs. A February 2022 writeup by Decrypt.co described it as “the play-to-earn NFT game taking crypto by storm,” but in a shocking development the game has now been taken by hackers, to the tune of more than $600 million—making it one of the biggest crypto heists of all time.
Axie makes use of Ronin, a “sidechain” designed specifically for the game that enables users to access the Ethereum blockchain without paying many of the standard transaction fees. A sidechain, as defined by HackerNoon, is “a separate blockchain that is attached to its parent blockchain using a two-way peg [that] enables interchangeability of assets at a predetermined rate between the parent blockchain and the sidechain.”
In simpler terms, it means that Axie Infinity players must have both a Ronin and an Ethereum wallet: Cryptocurrency from the Ethereum wallet is transferred to the Ronin wallet via the Ronin bridge, at which point it can be used to purchase Axies, the game’s little creatures. In the game’s current alpha state, Axies can be bred, raised, trained, and forced to fight one another for your amusement. Naturally, they can also be bought and sold on the blockchain.
It’s complicated and honestly most of the process goes over my head, but what’s important isn’t what it does but what was done to it: As reported in a Ronin Newsletter update, the Ronin bridge has been “exploited” for 173,600 Ethereum and 25.5M USDC, which at the moment converts to more than $617 million.
Important announcement regarding a security breach on the Ronin Network. https://t.co/88TilOGTX6March 29, 2022
The Ronin post explains that Axie developer Sky Mavis has nine “validator nodes” on the Ronin network, five of which are required to verify and approve deposits and withdrawals—kind of like a digital majority vote that automates the process in order to keep things happening at a reasonable pace. The system is decentralized in order to protect against attacks like this, but the attacker was nonetheless able to gain control of Sky Mavis’ four validators and a third-party validator—enough to forge the withdrawals.
Ironically (but not at all surprisingly), it looks like this heist was enabled at least in part by human error. The report says that in November 2021, Sky Mavis requested help from the Axie DAO (Decentralized Autonomous Organization) to help it distribute free transactions to Axie Infinity players because it couldn’t manage the user load on its own. Axie DAO “allowlisted” Sky Mavis to enable transactions, but when the arrangement ended a month later, nobody revoked the allowlist access.
The good news, as far as it goes, is that most of the stolen money is still in the hacker’s wallet, which will presumably make it easier to recover, and that all crypto still on Ronin is safe, although also inaccessible. Sky Mavis said it has been in touch with security teams at “major exchanges,” and has temporarily halted the Ronin bridge in order to prevent further attacks. Activity will be re-enabled “at a later date once we are certain no funds can be drained.”
The breach took place on March 23 but wasn’t discovered until March 29, when a user attempted to withdraw 5,000 ETH from the bridge and was unable to do so. That’s not a great testament to the network’s security, a point Sky Mavis seemed to acknowledge in its message.
“As we’ve witnessed, Ronin is not immune to exploitation and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats,” it wrote. “We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks.
“ETH and USDC deposits on Ronin have been drained from the bridge contract. We are working with law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds. This is our top priority right now.”
Sky Mavis also pledged to ensure that “all of the drained funds are recovered or reimbursed.”
Cryptocurrency values fluctuate wildly—you can see a year of Ethereum’s ups and downs in the chart below—but right now the real-money value of the heist outstrips the $610 million crypto-job that took place in August 2021, described at the time “the biggest DeFi (decentralized finance) heist ever.”
A year in ETH: