Roughly $625 million worth of cryptocurrency was stolen from Ronin Network, an Ethereum-linked sidechain used for the popular NFT-based game Axie Infinity, according to a statement Tuesday.
According to the statement, the Ronin bridge, which connects the Ronin blockchain to other cryptocurrencies like Ethereum, was exploited for 173,600 Ethereum and 25.5 million USDC, a digital currency linked directly to the U.S. dollar. The Ronin bridge allowed users to deposit Ethereum or USDC to Ronin, then purchase NFTs or in-game currency. Users could also sell their in-game assets and withdraw money using the bridge.
Sky Mavis, which operates Axie, said they are working with law enforcement and government agencies to recover the stolen funds and bring the hackers to justice. Since the hack, Ronin’s network has been locked, effectively stopping new players from entering the game or buying in-game items. The hack and subsequent freeze puts the future of current users’ funds into question since users cannot withdraw any of their in-game money.
The hack exploited validator nodes, a feature of some cryptocurrencies that is a faster and more efficient means of computing transactions. Using a smaller number of nodes can be great for speed, but if a majority of the nodes are compromised, it becomes a major security risk. Sky Mavis announced they would be upping the threshold of validator nodes that need to sign off on transactions in the hopes that this improves security and prevents future hacks.
The Ronin hack was possible in part because of a shortcut the company itself created last year due to an “immense user load.” The shortcut allowed users to more readily send and receive funds, and was discontinued in December. However the permissions that the shortcut allowed were never revoked. After exploiting five out of the eight nodes, the attacker could approve any transactions and withdraw whatever money they wanted.
The Ronin hack appears to be either the largest or second-largest hack to date of a decentralized finance network and comes on the heels of the Wormhole bridge hack last month where $322 million was stolen.
“As we’ve witnessed, Ronin is not immune to exploitation and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats,” the company said in the statement. “We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks.”