Axie Infinity NFT Game Used to Breach Ronin Network, Over $600 Million in Crypto Taken
A bridge between the Ronin network and the popular monster-battling game “Axie Infinity” was attacked in a way that essentially gave the hackers a blank check to approve transactions, something they took full advantage of to create one of the largest losses ever for a crypto platform (and possibly the largest ever for a DeFi network) if money is not recovered.
The hackers got away with at least $625 million in crypto funds, exploiting some inactive accounts with administrator privileges that were reportedly compromised via social engineering.
“Proof of stake” validation nodes exploited via dormant administrator accounts
Unlike Bitcoin, the Ronin network is secured by a set of nine validator nodes; taking over a majority allows an attacker to authorize transactions. Attackers did just that, taking over four of the nodes on the Ronin network and gaining the critical fifth from the NFT game.
The “proof of stake” validator node system has arisen as Bitcoin and other currencies have been criticized for the amount of energy they use, but as this incident demonstrates these systems have their own unique vulnerabilities. They are more susceptible to attacks coordinated by insiders, and they are constantly being probed from the outside by skilled hackers looking to steal millions worth of currency.
The latter seems to be the case in this theft, but it was not a vulnerability in code that was exploited. Instead, it appears the attackers socially engineered their way into being given access to dormant administrator accounts for the NFT game that were created to help handle the surge in traffic as it became highly popular in late 2021. Sources told the media that there was nothing wrong with the code, but that the attack was also not an inside job.
The stolen funds, which mostly consisted of Ethereum with a much smaller amount of USD Coin mixed in, are likely gone for good unless the hackers can be convinced to return them to Ronin network in exchange for a smaller amount as a reward. The publishers of the NFT game have begun raising funds in an attempt to reimburse users, with $150 million raised as of April 6.
NFT game made $1.3 billion in past year
Axie Infinity is the biggest NFT game on the market, surging in popularity in late 2021. Players purchase NFTs that represent their in-game monsters, commonly spending in the hundreds of dollars on each of these (and with the most expensive monsters ranging into the hundreds of thousands of dollars). The in-game assets were not stolen, but the bridge to the Ronin network allowing players to pay for all of these things was exploited to allow direct access to stored crypto funds.
The attackers managed to gain access to accounts with the NFT game that had been dormant since December 2021, but still had their original privileges. Axie Infinity publisher Sky Mavis has said that it continues to work with law enforcement even as it raises funds with which to directly reimburse the victims.