$625m exploit on Axie Infinity’s Ronin Network

$625m exploit on Axie Infinity’s Ronin Network

Here’s how $625 million using 2 transactions on the most popular play-to-earn game.

Axie Infinity is a play-to-earn game

Axie Infinity is an online game developed by Vietnamese studio Sky Mavis. The game allows players to collect, breed, raise, battle and trade token-based creatures known as Axies. It uses an Ethereum-based token (called AXS), and rewards players for playing the game. The market cap of the token is approximately $4 billion as today.

Migration to the Ronin network

In July 2021, the Sky Mavis team launched Ronin, a custom-built sidechain on Ethereum. The objective of the chain is to support instantaneous transaction confirmation, reduce gas fees and scale Axie Infinity.

Ronin’s validation method

The Ronin network consists of 9 validator nodes to reach consensus on transactions. This means when a user makes a request to deposit or withdraw, at least 5 out of the 9 nodes need to verify that the request is legitimate. If someone can control the majority of these validator nodes, they can essentially approve “fake” transactions and steal crypto. Some of these validators are run by the parent company, Sky Mavis, and others by the DAO set up for the game called AxieDAO.

How the attacker got access

The attacker managed to get control of 4 validators run by Sky Mavis, and one validator run by AxieDAO. To get access to the validators, one needs access to each validator’s private keys. The keys are decentralised (stored in different places) to prevent security breaches.

In November 2021, due to high user load, the Sky Mavis team requested AxieDAO to distribute free transactions. In order to do this, AxieDAO allowed Sky Mavis to sign transactions on its behalf. This means that AxieDAO became a “trusted party” for Sky Mavis. The distribution of free transactions stopped in December 2021, but access was not revoked.

Once the attacker got into the Sky Mavis systems, they were able to sign transactions using the trusted connection that was set up with AxieDAO. This allowed the attacker to control 5 nodes, and execute the stea

Going forward

Let’s hope the attackers are caught and the Axie Infinity ecosystem is safe. These attacks are horrible for web3 and crypto. The Axie Infinity team is working with authorities and their investors to overcome this.