The theft was discovered several days later, raising questions about the vulnerabilities of decentralized finance (DeFi).
The cryptocurrency world was rocked after Ronin, the blockchain underlying Axie Infinity, said hackers had stolen roughly $625 million from the play-to-earn online game.
Ronin announced the security breach in a blog post, saying 173,600 ethereum and 25.5M USDC had been drained from the Ronin bridge in two transactions.
‘This is Our Top Priority Now.’
Bridging is where assets are locked on one blockchain and then replicated on another blockchain. The attacker used hacked private keys in order to forge fake withdrawals.
The heist occurred on March 23, but Sky Mavis, a Vietnamese studio that developed Axie Infinity, discovered the breach on Tuesday after a user was unable to withdraw 5,000 ETH from the bridge.
Sky Mavis’ Ronin chain currently consists of 9 validator nodes, the post said. In order to recognize a deposit or a withdrawal, five out of the nine validator signatures are needed.
The attacker managed to get control over Sky Mavis’s four Ronin validators and a third-party validator run by Axie DAO, or decentralized autonomous organization.
“ETH and USDC deposits on Ronin have been drained from the bridge contract,” the blog post said. “We are working with law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds. This is our top priority right now.”
Ronin Bridge was paused to ensure no further attack vectors remain open.
“Sky Mavis is here for the long term and will continue to build,” the post said.
Binance, the largest cryptocurrency exchange in the world, has also disabled their bridge to and from Ronin “to err on the side of caution.”
“The bridge will be opened up at a later date once we are certain no funds can be drained,” the post said.
‘An Intense 36 Hours’
“Been an intense 36 hours,” Aleksander Leonard Larsen, Sky Mavis’ co-founder and chief operating officer, tweeted. “Been working with the Sky Mavis board and key cybersecurity personnel to get a complete overview of the situation.”
“Our internal network is currently going through a deep forensics review to ensure there is no lingering threat,” he added.
Larsen said that the hack was an engineering attack combined with a human error from December 2021.
“We are committed to ensuring that all of the drained funds are recovered or reimbursed, and we are continuing conversations with our stakeholders to determine the best course of action,” he said in a follow-up tweet.
The heist sparked a barrage of comments on social media.
“WOW, didn’t expect to wake up to a $600M hack,” one person tweeted. “The Hacker exploited the ‘ronin bridge’ which axie infinity runs on. The stole 25M USDC and 173K eth. Absolutely devastating.”
“Hackers will end DeFi,” another person said. “This needs to stop.”
One commenter noted last month’s Wormwood heist, where hackers made off with cryptocurrencies valued at more than $323 million from the DeFi protocol that links blockchain Solana with other decentralized blockchain networks.
“As we saw with the Wormhole exploit a few weeks ago, bridges are easy targets,” the person tweeted.
As far as the impact on the crypto world, Simon Vieira, CEO and game producer of Mixmob, said “great industries are built from trial and error.”
“Cars didn’t have seatbelts before,” he said. “The construction industry didn’t have safety and security codes — all of that evolved from people building. Although what happened today hurts, the industry will be stronger as a consequence.”
‘Hacked for Big Sums’
Egor Volotkovich, the executive director of cross-chain solutions EVODeFi, said that “DeFi bridges are constantly being hacked for big sums and you have to have centralization of some elements in order to protect yourself from permanent hacks.”
“That the Axie Infinity Ronin Bridge’s hack was discovered after about 6 days also lends credence to the frailty of the DeFi ecosystem in terms of the security check and balances available in the broader ecosystem,” he said. “The hack notably showcases that the notion that blockchain technology is secure is false, and can be extremely prone to exploitation if adequate security measures are not put in place.”
“Crosschain bridge has proved to be vulnerable and that’s why team should consider building parachains on Polkadot,” said Yubo Ruan, founder of Parallel Finance. “Polkadot provides XCM – a native channel for cross chain transfer and messaging.”
Multi-chain requires projects to exist on at least two blockchains at the same time. Cross-chain aims to enable the seamless exchange of information between blockchains.
Jimmy Yin, co-founder at iZUMi Finance, said that “multichain is the trend, while cross-chain infrastructure is weak.”
“‘Swap’ acts in atomic token exchange that makes it much safer than ‘bridge’ actions with interoperability,” he said.
Vitalik Buterin, co-founder of ethereum tweeted in January that “the future will be multi-chain,” not cross-chain.
“There are fundamental limits to the security of bridges that hop across multiple ‘zones of sovereignty’,” he said.
Last year, Sky Mavis raised a $152-million Series B at a valuation of nearly $3 billion, putting it alongside some of the largest gaming companies in the world.