Hackers stole more than $600 million in cryptocurrency from Sky Mavis, developers of popular NFT-based video game Axie Infinity.
The attack occurred on March 23, according to a post published by the developer Tuesday, when a threat actor breached the Ronin bridge, which is used to support the exchange and interoperability of different cryptocurrencies from different blockchains. Specifically, the threat actor compromised a series of validator nodes connected to Sky Mavis and their non-fungible token (NFT) game, Axie Infinity.
Sky Mavis, which developed the Ronin Network sidechain, said in the post that hackers stole 173,600 Ethereum and 25.5 million in USD Coin, a coin that maintains the value of the U.S. dollar, totaling approximately $620 million. The cryptocurrency was drained in two transactions, which happened when "the attacker used hacked private keys in order to forge fake withdrawals."
Sky Mavis said its Ronin chain includes nine validator nodes, which are used to verify deposits and withdrawals. Five node signatures are needed to verify a transaction, and the actor obtained said signatures by gaining control over four of Sky Mavis' validator nodes and a third-party one operated by Axie Infinity's decentralized autonomous organization (DAO).
The Axie Infinity sidechain hack occurred when an attacker "found a backdoor through our gas-free RPC [remote procedure call] node" and used it to access the Axie DAO validator. This, as the post explained, was not supposed to be possible.
"This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load," the post read. "The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked."
Sky Mavis said that "the signature in the malicious withdrawals match up with the five suspected validators."
It's unclear how attackers obtained the private keys, or if the backdoor in question was placed by threat actors or created by design for the company. Sky Mavis did not respond to SearchSecurity's request for comment.
The developer said that going forward, it has prevented future attacks in part by raising the validator threshold from five nodes to eight.
Sky Mavis is also "working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed." The company disclosed the Ethereum wallet address of the threat actor, which held approximately $595 million at press time.
In addition, Sky Mavis said it has "temporarily paused" the Ronin bridge to ensure no other attack vectors are open as the developer investigates the sidechain hack.
Axie Infinity, Sky Mavis' tentpole game, is part of an emerging category of NFT video games. Players collect and mint NFTs represented in the game as digital pets that can be used in battle against other pets, or "Axies." Players pay starting costs to play, but can earn -- and cash out -- cryptocurrency as an in-game currency through gameplay.
Cryptocurrency cyber attacks have been on the rise in recent months. Last month, for example, cryptocurrency platform Wormhole reported that a threat actor stole a trove of wrapped Ethereum worth hundreds of millions of dollars.
Alexander Culafi is a writer, journalist and podcaster based in Boston.