Axie Infinity's Ethereum sidechain, Ronin, was hacked for over $600M in ETH and USDC. Sky Mavis, Axie Infinity's developer, became aware of the hack on March 29, when a user couldn't withdraw ETH using the Ronin bridge.
Axie Infinity (AXS) is a popular NFT game in which players breed and fight NFT monsters, similar to Pokemon. The game has a $3.8B market cap, 2.6M wallets, and an ecosystem moving billions every month. In response to Ethereum's high gas fees, Sky Mavis created the Ronin sidechain. Players can bridge other cryptos onto Ronin and play the game without paying high gas fees.
According to Sky Mavis, the attacker used hacked private keys to forge withdrawals, taking the ETH and USDC in two transactions on March 23, 2022. It took almost six days for anyone to notice.
Sky Mavis's Ronin validator nodes and Axie validator nodes were hacked. The attacker used hacked private keys that Sky Mavis believes were acquired through a combination of social engineering and old school hacking.
According to Sky Mavis, the attack was possible because Sky Mavis and the Axie DAO used bad security practices to handle high player volume late last year: "Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked. Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC."
The Ronin sidechain was a good target for an attack like this because it only has 9 validators, and it considers 5 of 9 nodes as the consensus threshold. Following the attack, Sky Mavis says it will increase security by requiring 8 of 9 nodes to validate a transaction.
In its writeup of the hack, Sky Mavis says all AXS, RON, and SLP on the Ronin sidechain are safe at this time. Sky Mavis also halted all transactions on the Ronin bridge and its decentralized exchange, the Katana DEX. The company says it will recover or reimburse all stolen player funds, but it did not say when.
Sky Mavis is working with blockchain analysis firm, Chainalysis, to track the stolen ETH and USDC and with centralized exchanges to blacklist the tokens. Binance has also disabled its bridge to Ronin.