Axie Infinity sidechain Ronin Network has suffered a hack that has so far resulted in the loss of 173,600 Ethereum and 25 million USDC, currently worth about $625 million.
Ronin was built specifically to be a scaling solution to enable cheaper fees and faster transactions for Axie Infinity.
“There has been a security breach on the Ronin Network,” the team wrote in a blog post.
According to Ronin, on March 23rd, an attacker managed to get control over the private keys for its validator nodes and the nodes for the Axie Infinity Decentralized Autonomous Organization (DAO). The bad actor then used the keys to forge fake withdrawals, which weren’t noticed until a user reported not being able to withdraw 5,000 ETH from the platform’s bridge.
The attacker apparently found a weakness stemming from November of last year when Sky Mavis, the company behind Axie Infinity, requested help from the Axie DAO to distribute free transactions due to an overload of users. Sky Mavis was only supposed to be able to sign transactions on the DAO’s behalf temporarily, but allowlist access was not properly revoked. This meant the attacker was able to use Sky Mavis as a backdoor to access The Ronin bridge and Katana Dex.
“We have temporarily paused the Ronin Bridge to ensure no further attack vectors remain open,” the team said.
“Binance has also disabled their bridge to/from Ronin to err on the side of caution. The bridge will be opened up at a later date once we are certain no funds can be drained.”
At the time of writing, the funds still sit in the hacker’s Ethereum wallet, and Ronin is working with Chainalysis and other authorities to track down the lost crypto.
“We are working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed. All of the AXS, RON, and SLP on Ronin are safe right now.”
So far, Ronin (RON) is down 24% on the news while Axie Infinity (AXS) has dipped 8%.