A coin worth $625 million has been stolen from the underlying game. Sky Mavis froze transactions on the Ronin bridge, which allows depositing and withdrawing funds from the company, after they discovered a breach.
Sky Mavis is working with law enforcement to recover 173,600 ether and 25.5 millionUSDC from the person who withdrew it from the network on March 23rd. The bridge to Sky Mavis was the focus of the attack. Users could deposit money into Ronin, then purchase non-fungible token items or in-game currency, or they could sell their in-game assets and withdraw the money.
Sky Mavis said that an attacker used hacked private security keys to compromise the network. The attacker was able to quietly withdraw large quantities of ether andUSDC. A week later, another user tried to withdraw 5,000 ether from the bridge.
“As we’ve witnessed, Ronin is not immune to exploitation”
The SLP and AXS in-game cryptocurrencies have not been compromised, nor has the NFT token been compromised, according to Sky Mavis. Adi bought three axies for a total of $105 last month in order to report on the game; axies are currently selling for around $25 apiece. The hack leaves the fate of other user funds in question, as the freezing of withdrawals and deposits effectively locks out many new players. Sky Mavis is working with law enforcement officials, forensic cryptographers, and investors to make sure there is no loss of user funds.
Proof-of-stake systems like Ronin are less energy intensive than proof-of-work systems. New transactions are reviewed to confirm that their inputs and outputs match and that authorization signatures are valid. The hack shows that using a smaller number of nodes can create security risks if a majority of them are compromised. It is a potential vulnerability that is being advertised as both cheaper and more eco-friendly.
Validator nodes are a key feature of less energy-intensive blockchains
Sky Mavis said that the attack was possible because of a shortcut the company took to relieve a load on its network in November of last year. Permissions that allowed the system to continue were never revoked. Four of Sky Mavis' own nodes were compromised and the attacker was able to get access to one managed by the Axie DAO. The attacker was able to take whatever funds they wanted after compromising five of the nine validator nodes.
Sky Mavis says it will increase the required number of nodes to eight for transactions, and it will reopen the Ronin bridge once it is certain no more funds can be drained. A $322 million theft from the bridge protocol Wormhole last month was the largest hack to date of decentralized finance networks.
The company said that the attack has reinforced the importance of security, remaining vigilant, and mitigated all threats.