A total of 173,600 Ethereum (currently worth around $600 million) and $25.5 million USDC was stolen from Ronin. It is the blockchain behind the popular crypto game Axie Infinity. Sky Mavis revealed the hack and froze transactions from the Ronin network. This is the bridge used for depositing and withdrawing funds from the company’s blockchain.
Axie Infinity is a play-to-earn game that uses Pokémon style cartoon characters. These Axies costs around $25 each and you need three of them for the game. In the height of its popularity a team costs around $1000 for a team. Because of its play-to-earn feature, the game has exploded in popularity especially in the Philippines. Managers bought plenty of teams and leased them out to “scholars”. The earnings potential however has dwindled down from last year after the popularity of the game started to go down.
Sky Mavis says it is working with law enforcement to recover the amount from the hacker who withdrew it using two transactions from the network on March 23. The hacker used hacked private security keys to compromise network nodes that validate transfers to and from the Ronin blockchain. The funds were then transferred to this wallet.
The centralized Ronin Bridge needs at least 5 out of 9 validators nodes to approve a transaction. The hack was possible because of a shortcut the company had taken to relieve an “immense user load” on its network last November. The permissions were never revoked even if the DAO was discontinued last December. In addition to compromising four of Sky Mavis private keys, the attacker used one to get access to the community-owned DAO, giving them 5 of the 9 validator nodes to approve the transaction and drained the bridge.
What is interesting is that Sky Mavis only knew of the hack six days after when a user attempted to withdraw 5,000 Ethereum (ETH) through the Ronin Bridge. The transaction failed as there are no more liquidity inside the bridge. Sky Mavis in their substack said that SLP and AXS in-game cryptocurrency are not compromised.
To understand blockchain bridges, an analogy would be for example a casino. When you go to a casino, you take your dollars and trade them for casino chips. Your chips have value inside the casino and you can use it to gamble or to buy things inside. They have value as they are backed by the dollars held by the casino. The chips though are useless outside the casino. When hackers drained all the ETH and USDC inside the bridge, it made all the ETH and USDC of the users useless outside the Ronin ecosystem.
The Ronin Bridge was frozen right after the announcement. This has made a lot of managers and scholars angry as they are not able to cash out from the game. Sky Mavis says they are “working to make sure there is no loss of user funds”. The company also says that it will increase the required number of nodes to eight out of 9 validators.
The price of RON, a token used on the Ronin blockchain, dropped about 22% after hack was disclosed.