Axie Infinity

gamedeveloper.com:

Hackers have stolen $622 million from the 'Ronin' blockchain network that powers the popular NFT-based online game, Axie Infinity.

Developed by Vietnamese studio Sky Mavis, Axie Infinity allows players to collect and mint NFTs to claim ownership of axolotl-inspired virtual pets called "Axies."

As reported by Fortune, the perpetrators targeted the Ronin Network and walked away with 173,600 Ethereum (ETH) and 25.5 million USD Coins (USDC), which combined are worth hundreds of millions.

Ronin confirmed the breach in a post on social media and said it's "working with law enforcement officials, forensic cryptographers, and our investors to make sure that all funds are recovered or reimbursed."

Outlining how the theft took place, Ronin said the attacker used hacked private keys in order to forge fake withdrawals and was made aware of the breach after a user reported being unable to withdraw 5,000 ETH.

"Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO," reads the Ronin statement.

"The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.

"This traces back to November 2021 when the Axie DAO validator was allowlisted to distribute free transactions. This was discontinued in December 2021, but the Axie DAO validator IP was still on the allowlist. Once the attacker got access to Sky Mavis systems they were