Axie Infinity, a play-to-earn video game that pays out cryptocurrency to players who mint NFTs of fluffy-looking but fierce battle creatures, is fighting a massive hack in which thieves stole over $625 million in USDC and ETH.
The hack—which is the biggest yet in the history of DeFi—came through an exploit of the Ronin Network, which powers the mega-popular Axie Infinity game developed by Sky Mavis. According to a Substack post from Ronin, Sky Mavis’s Ronin chain includes nine validator nodes that control transactions, and signatures from five of them are required to approve crypto deposits or withdrawals. Hackers commandeered four of those, as well as a third-party validator run by Axie DAO, to snatch 173,600 ETH and 25.5 million USDC.
The backdoor for the attack originated in November 2021—when Sky Mavis enlisted Axie DAO to help process gas-free transactions amid a user overload—and the hack occurred last Wednesday, according to Ronin. It was discovered Tuesday, after a user reported being unable to withdraw 5,000 ETH from the Ronin bridge.
In response, Ronin has halted its bridge and Katana Dex, an automated market maker, amid the investigation. The vast majority of the loot is still in the hacker’s wallet, and Ronin says it’s “working with law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds.” Moving forward, it says the threshold for validation will be raised to eight nodes.
In December, Axie Infinity reported it had over 8 million users and nearly 3 million daily active players. In February, it surpassed $4 billion in sales.
The recent heist beats the previous record of $611 million, which was stolen in August 2021 from cross-chain protocol Poly Network (which lets users swap tokens from one blockchain to another). Most of those funds were recovered and returned.