Axie Infinity's NFT Network Hacked, $625 Million Stolen In Massive Digital Heist

gamespot.com:

The Ronin Network, a blockchain system that runs Sky Mavis' popular NFT game Axie Infinity, has been hacked, with about $625 million worth of funds stolen in a massive theft.

The Ronin bridge was «exploited» for 173,600 Ethereum and 25.5M USDC, the Ronin Network announced in a blog post, adding that the bridge the Katana Dex have now been halted as a result. The Ronin Network said it's actively working with law enforcement, as well as forensic cryptographers and its own investors to ensure that «all funds and recovered or reimbursed.»

In the announcement, the Ronin Network said it discovered today (March 29) that the validator nodes on the Ronin validator for Sky Mavis and the Axie DAO nodes were compromised on March 23, leading to the theft. Two transactions took place, with the hacker using «private keys» to create fake withdrawals, the company said. «We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge,» Ronin Network said.

Ronin Network explained that the only way to deposit or withdraw funds from the Ronin chain is to obtain five out of nine validator signatures. The attacking party gained access to four validators from Ronin and one from a third-party run by Axie DAO, Ronin Network said.

«The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator,» it said. «This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf.