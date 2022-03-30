REPORTS are calling it the largest crypto hack in history.

Hackers exploited a loophole in the nodes operated by Axie Infinity developer Sky Mavis and the Axie DAO (decentralized autonomous organization) to “drain” 173,600 Ethereum and 25.5 million USD Coin from the Ronin blockchain that underpins the popular play-to-earn game.

An Axie Infinity player pointed out that, at the time of the hack, the Ethereum exchange rate meant that hackers were able to make off with a total of $552,025,328 (or at least P28 billion). Most reports, however, peg the lost amount anywhere from $600 million to a high of $625 million.

How did this happen?

First, a definition of terms. A blockchain is a network of computers that enables NFTs, as it secures the authenticity and uniqueness of each of these non-fungible tokens. Last year, Sky Mavis built its own Ronin “sidechain” to facilitate transactions within Axie Infinity, which had been originally been built atop the now-congested Ethereum blockchain.

Like other blockchains, Ronin is secured by “validator nodes”, ostensibly to prevent hacks like these from happening. These validator nodes cross-check information on the blockchain to ensure that all the information is accurate.

But as Sky Mavis explained in its statement published on Substack, “The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO.”

It continued, “[T]he attacker found a backdoor through our gas-free RPC [remote procedure call] node, which they abused to get the signature for the Axie DAO validator.”

Hackers get control of validator nodes linked to Axie Infinity

As explained in Venture Beat, Ronin only requires five validator “signatures” to authorize deposits and transactions. By getting control over these validators, the attackers could create fake transactions and siphon funds from the network.

The developer traced the exploit to last November, when it brought in the Axie DAO to help facilitate a large number of free transactions. While this was discontinued just a month after, the “allowlist” access was overlooked.

The hackers then withdrew large amounts of Ethereum and USDC cryptocurrency across two transactions, which Sky Mavis only detected last night — almost a week after it happened — when a user complained that they were unable to withdraw 5,000 Ethereum from the Ronin network.

Sky Mavis quickly locked down operations on the Ronin bridge (which connects to other blockchains) and the Katana decentralized exchange (which facilitates exchanges of the different currencies and tokens within Axie Infinity).

“We are working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed,” it said.

“All of the AXS, RON, and SLP on Ronin are safe right now.”

