Crypto Gaming’s Biggest Success Story Scammed Out Of $833 Million

Crypto Gaming’s Biggest Success Story Scammed Out Of $833 Million
Image: Sky Mavis

Pokémon-style NFT battler Axie Infinity was one of the biggest “success” stories in the world of crypto gaming. Now it’s responsible for one of the biggest thefts in the history of the technology. The gaming-focused blockchain Ronin Network announced earlier today that an Axie Infinity exploit allowed a hacker to “drain” roughly $US600 ($833) million worth of crypto currency from the network.

“There has been a security breach on the Ronin Network,” the company announced on its Substack. “Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions.”

The person responsible allegedly used hacked private keys to order the fraudulent withdrawals. How, you ask? According to Ronin, “the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.”

Basically, the Ronin “side-chain” for games like Axie Infinity uses “9 validator nodes” to prevent fraudulent transactions. However, in November, due to overwhelming demand by new Axie players, Ronin gave special privileges to Sky Mavis, the company behind the game, so it could sign transactions on its behalf.

Crypto Gaming’s Biggest Success Story Scammed Out Of $833 Million

Released back in 2018, Axie Infinity has exploded in popularity in certain quarters of the internet with the rise of NFTs and market speculation around blockchain gaming and the metaverse. Part critter collectathon, part deck building battle game, Axie Infinity claimed 1.8 million daily users last year, and broke $US4 ($6) billion in lifetime NFT sales earlier this year. Now it seems to have paid a price for its rapid growth, cutting security corners to rapidly service new users.

“The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf,” Ronin writes. “This was discontinued in December 2021, but the allowlist access was not revoked. Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC.“

Ronin has apparently locked down accounts while it continues its investigation into the hack, meaning no one can get their funds out even as the price of RON, the network’s native token, has reportedly plummeted more than 25%.

Weird how crypto currency networks, championed for their security and decentralization, keep getting burgled. Last August, a hacker made off with over $US600 ($833) million from the Poly Network, though many of the funds were later returned. In January, hackers withdrew more than $US30 ($42) million from Crypto.com in what the company initially referred to as a low-key “incident.” Most of those funds were restored as well. It remains to be seen what will happen with the latest massive crypto breach.

Comments

  • Yeah… If blockchain gaming is the ‘secure’ option, I really must be missing the weekly heists of billions of dollars worth of CSGO skins from Steam and such.

    • not defending NFT/Crypto/whatever. It is inherently secure though, they made it insecure by allowing a single point of transaction authorization.

      Someone will correct me if I am wrong, the whole point of the distributed chain is that the transaction authorization comes from different copies of the chain in different places. Turn that off and you have single point failure

      • Which is the fundamental flaw of using NFTs and Crypto in games or any product… you can’t put decentralised element into a centralised infrastructure such as a game, a server, an exchange, an asset, investment fund, a market place or physical medium etc. it ceases to be decentralised and therefore instantly vulnerable and highly desirable cause it’s easy to secure the ill gotten gains once remove out of said centralised point.

        Think about this, they stole more money than Musk and Bezos combined… and became the richest person on the planet, cause account management in crypto is seriously flawed.

  • Any Gamer will tell you, that our games are full of hackers cheaters scammers con-artists…. game security is terrible especially with account hacks.

    To build a real money financial system on top of that is insane.

    But to find out only one access key was needed to access a single account to take EVERYTHING is insane. Who approved that and why? Imagine running a bank or investment broker like that and crypto does this unregulated and incompetent stuff everyday is insane.

Show more comments

Log in to comment on this story!