$625m exploit on Axie Infinity’s Ronin Network
Here’s how $625 million using 2 transactions on the most popular play-to-earn game.
Axie Infinity is a play-to-earn game
Axie Infinity is an online game developed by Vietnamese studio Sky Mavis. The game allows players to collect, breed, raise, battle and trade token-based creatures known as Axies. It uses an Ethereum-based token (called AXS), and rewards players for playing the game. The market cap of the token is approximately $4 billion as today.
Migration to the Ronin network
In July 2021, the Sky Mavis team launched Ronin, a custom-built sidechain on Ethereum. The objective of the chain is to support instantaneous transaction confirmation, reduce gas fees and scale Axie Infinity.
Ronin’s validation method
The Ronin network consists of 9 validator nodes to reach consensus on transactions. This means when a user makes a request to deposit or withdraw, at least 5 out of the 9 nodes need to verify that the request is legitimate. If someone can control the majority of these validator nodes, they can essentially approve “fake” transactions and steal crypto. Some of these validators are run by the parent company, Sky Mavis, and others by the DAO set up for the game called AxieDAO.
How the attacker got access
The attacker managed to get control of 4 validators run by Sky Mavis, and one validator run by AxieDAO. To get access to the validators, one needs access to each validator’s private keys. The keys are decentralised (stored in different places) to prevent security breaches.
In November 2021, due to high user load, the Sky Mavis team requested AxieDAO to distribute free transactions. In order to do this, AxieDAO allowed Sky Mavis to sign transactions on its behalf. This means that AxieDAO became a “trusted party” for Sky Mavis. The distribution of free transactions stopped in December 2021, but access was not revoked.
Once the attacker got into the Sky Mavis systems, they were able to sign transactions using the trusted connection that was set up with AxieDAO. This allowed the attacker to control 5 nodes, and execute the stea
Going forward
Let’s hope the attackers are caught and the Axie Infinity ecosystem is safe. These attacks are horrible for web3 and crypto. The Axie Infinity team is working with authorities and their investors to overcome this.