A cryptocurrency firm used by gamers to transfer virtual coins has revealed that hackers stole hundreds of millions of dollars’ worth of currency from it.
Vietnamese blockchain game developer Sky Mavis created the Ronin Network to function as an Ethereum sidechain for its Axie Infinity game.
In practice, it allows users to transfer cryptocurrency in and out of the game.
Ronin Network only discovered the massive cyber-heist after a user complained yesterday that they could not withdraw funds from the bridge. The incident occurred a week ago.
It said an attacker compromised Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes and used hijacked private keys to forge fake withdrawals. This resulted in the theft of 173,600 Ethereum ($592m) and $25.5m from the Ronin bridge in two transactions.
“Sky Mavis’s Ronin chain currently consists of nine validator nodes. In order to recognize a deposit event or a withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin validators and a third-party validator run by Axie DAO,” Ronin Network explained in a blog post.
“The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.”
Ronin Network said it had paused its bridge functionality to ensure no further attack vectors are open, and it has increased the validator threshold from five to eight.
It is also working with analytics firm Chainalysis to monitor where the stolen funds go. It claimed “most” of the funds are still in the attacker’s wallet.