advertisement
advertisement

Hackers make off with $625 million from Axie Infinity’s Ronin network in historic DeFi heist

The vast majority of the loot is still in the perpetrator’s wallet.

Hackers make off with $625 million from Axie Infinity’s Ronin network in historic DeFi heist
[Source Image: Axie Infinity; iStock]

Axie Infinity, a play-to-earn video game that pays out cryptocurrency to players who mint NFTs of fluffy-looking but fierce battle creatures, is fighting a massive hack in which thieves stole over $625 million in USDC and ETH.

advertisement

The hack—which is the biggest yet in the history of DeFi—came through an exploit of the Ronin Network, which powers the mega-popular Axie Infinity game developed by Sky Mavis. According to a Substack post from Ronin, Sky Mavis’s Ronin chain includes nine validator nodes that control transactions, and signatures from five of them are required to approve crypto deposits or withdrawals. Hackers commandeered four of those, as well as a third-party validator run by Axie DAO, to snatch 173,600 ETH and 25.5 million USDC.

The backdoor for the attack originated in November 2021—when Sky Mavis enlisted Axie DAO to help process gas-free transactions amid a user overload—and the hack occurred last Wednesday, according to Ronin. It was discovered Tuesday, after a user reported being unable to withdraw 5,000 ETH from the Ronin bridge.

In response, Ronin has halted its bridge and Katana Dex, an automated market maker, amid the investigation. The vast majority of the loot is still in the hacker’s wallet, and Ronin says it’s “working with law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds.” Moving forward, it says the threshold for validation will be raised to eight nodes.

advertisement
advertisement

In December, Axie Infinity reported it had over 8 million users and nearly 3 million daily active players. In February, it surpassed $4 billion in sales.

The recent heist beats the previous record of $611 million, which was stolen in August 2021 from cross-chain protocol Poly Network (which lets users swap tokens from one blockchain to another). Most of those funds were recovered and returned.

advertisement
advertisement