$625 000 000 USD

MARCH 2022

GLOBAL

AXIE INFINITY

DESCRIPTION OF EVENTS

"Axie Infinity is a NFT-based online video game developed by Vietnamese studio Sky Mavis, which uses Ethereum-based cryptocurrency AXS (Axie Infinity Shards) and SLP (Smooth Love Potion)." The "Axie Infinity game universe filled with fascinating creatures, Axies, that players can collect as pets. Players aim to battle, breed, collect, raise, and build kingdoms for their Axies. The universe has a player-owned economy where players can truly own, buy, sell, and trade resources they earn in the game through skilled-gameplay and contributions to the ecosystem."

 

"There are and will be many varied games experiences for Axies. Many of them will have players compete with each other using complex strategies and tactics to attain top rankings or be rewarded with coveted resources. Others will have them complete quests, defeat bosses, and unlock in-depth storylines."

 

"Ronin is a blockchain protocol linked to Axie Infinity, a popular play-to-earn game with $4 billion in NFT sales that sees over 2.8 million players logging on each day."

 

"The developer behind @AxieInfinity built a "side chain" (the @Ronin_Network)." "The side chain had nine so-called validator nodes, which are proof-of-stake tools that confirm transactions. At least five are necessary to approve each transaction. Sky Mavis oversaw five, and Axie Decentralized Autonomous Organization controlled four. Sky Mavis said it discontinued its agreement with the DAO in December but never revoked the permissions it allowed."

 

"Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed." "[B]ack [in] November 2021 Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked." "The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but [there was] a backdoor through [a] gas-free RPC node, which [could be] abused to get the signature for the Axie DAO validator."

 

"Ronin said in a Tuesday blog post that the attacker stole roughly $625 million in crypto, draining 173,600 ether and 25.5 million USDC." "There has been a security breach on the Ronin Network. Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions (1 and 2). The attacker used hacked private keys in order to forge fake withdrawals." "The Sky Mavis team discovered the security breach on March 29th, after a report that a user was unable to withdraw 5k ETH from the bridge."

 

"The hacker took over four of Sky Mavis' validator nodes and one from Axie DAO, enabling access to the crypto and eventually the massive theft. Sky Mavis said it has since replaced all of its validators and is working to reimburse the stolen funds."

 

"The attacker used hacked private keys in order to forge fake withdrawals." "Five validator private keys were hacked; 4 Sky Mavis validators and 1 Axie DAO." "Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC. We have confirmed that the signature in the malicious withdrawals match up with the five suspected validators."

 

Funds stolen in the crypto hack include "deposits of players and speculators and the Axie Infinity Treasury revenue," Larsen said. "The heist, which wasn't detected until almost a week after it occurred, is believed to be one of the biggest in the history of crypto and highlights the sector's immense risks."

 

"The easiest way to look at this is like the bridge is the bank for the Ronin Network," Larsen said. "The heist that happened took out all the ETH and USDC. So the ETH/USDC on Ronin Network is not currently backed by anything. But we are looking at other options."

 

"We moved swiftly to address the incident once it became known and we are actively taking steps to guard against future attacks. To prevent further short term damage, we have increased the validator threshold from five to eight. We are in touch with security teams at major exchanges and will be reaching out to all in the coming days. We are in the process of migrating our nodes, which is completely separated from our old infrastructure."

 

"We have temporarily paused the Ronin Bridge to ensure no further attack vectors remain open. Binance has also disabled their bridge to/from Ronin to err on the side of caution. The bridge will be opened up at a later date once we are certain no funds can be drained."

 

"Most of the stolen funds remain in the attacker's address, but about 6,250 ether has been transferred to a slate of other addresses." "Binance has resumed withdrawals for Axie Infinity Shards (AXS) and Smooth Love Potion (SLP)."

 

"We are working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed," Ronin Network wrote. "The attacker used hacked private keys in order to forge fake withdrawals."

 

"Max Galka, CEO of crypto forensics firm Elementus, pointed to the lapsed DAO deal as a major oversight, noting that vulnerabilities arise when cryptocurrencies are stored in side chains rather than native blockchains." "The hacker exploited a key oversight here to drain millions in tokens, said @galka_max, CEO of @elementus_io. (@BusinessInsider)" "@galka_max pointed to the lapsed DAO deal as a major mistake, noting that vulnerabilities arise when cryptocurrencies are stored in side chains rather than native blockchains. (@BusinessInsider, @MktsInsider)" "They never removed what was meant to be a temporary measure. It was an outright error," he told Insider.

 

"It was pure human error," @amber_ghaddar said. "If consumers aren't protected from things like this, the industry is going to fail," she said. (@BusinessInsider)"

 

"It's a cybersecurity issue, not a cryptocurrency issue," @ARedbord said. "The government is calling for crypto regulation, but really what would help is a hardening of cyberdefenses, rather than focusing on crypto." (@BusinessInsider)

 

"Solutions could include funding for additional intelligence tools as well as more robust and pervasive cybersecurity networks, @trmlabs said. @amber_ghaddar added that educational outreach could be beneficial too. (@BusinessInsider)"

 

"We need to focus on building out a trust layer in the crypto economy—anti-money laundering infrastructure, compliance controls, cybersecurity—so that people will interact with this new online financial system," @ARedbord said.

 

"Sky Mavis announced a 150 million USD funding round led by Binance with participation from Animoca Brands, a16z, Dialectic, Paradigm. The round combined with Sky Mavis and Axie balance sheet funds, will be used to ensure that all users affected by the Ronin Validator Hack will be reimbursed. The Ronin Network bridge will open once it has undergone a security upgrade and several audits, which can take several weeks. Sky Mavis is in the process of implementing rigorous internal security measures to prevent future attacks."

 

"The 56,000 ETH compromised from the Axie DAO treasury will remain undercollateralized as Sky Mavis works with law enforcement to recover the funds. If the funds are not fully recovered within two years, the Axie DAO will vote on next steps for the treasury. We believe that Axie will go down in history as the first game to imbue players with true digital property rights and recent events have only strengthened this conviction."

 

"Moving forward, the [multisig] threshold will be eight out of nine. We will be expanding the validator set over time, on an expedited timeline."

 

"The last 8 days have been the hardest stretch of our four-year journey. Thank you for your bravery, kindness, prayers, and words of support. You’ve been a constant source of energy and inspiration for us as we’ve worked tirelessly to resolve the Ronin breach."

 

"Binance, the world's largest cryptocurrency exchange, has recovered nearly $6 million from a North Korean group suspected to be behind a $620 million hack of the popular play-to-earn game Axie Infinity."

 

"The DPRK hacking group started to move their Axie Infinity stolen funds today. Part of it made to Binance, spread across over 86 accounts. $5.8M has been recovered," he wrote, referring to the Democratic People's Republic of Korea.

Axie Infinity is a play-to-earn game with $4b in NFT sales. Rather than set up a proper multi-signature wallet, the keys were split between a small number of validators, and additional access was available for someone who no longer needed it. A hacker managed to gain access to 5 of the 9 keys and made off with $625m worth of Ethereum and USDC.

HOW COULD THIS HAVE BEEN PREVENTED?

A proper multi-signature storage has all keys offline and held by separate individuals. To store all funds in a hot wallet setup, with limited independence between the validators is significantly less secure, as was demonstrated here.

 

Check Our Framework For Safe Secure Exchange Platforms

A hacker just stole over $600 million in crypto. Experts explain the historic swindle — and why cyberattacks shouldn't discourage adoption of digital assets. (Apr 4)
Axie Infinity Hack Shouldn't Discourage Crypto Adoption, Experts Say (May 21)
One of the Largest Crypto Hacks Ever Hits Ronin Network (May 21)
https://roninblockchain.substack.com/p/community-alert-ronin-validators (May 21)
North Korea Designation Update | U.S. Department of the Treasury (May 21)
https://axie.substack.com/p/funding (May 21)
https://etherscan.io/tx/0xc28fad5e8d5e0ce6a2eaf67b6687be5d58113e16be590824d6cfa1a94467d0b7 (May 21)
https://etherscan.io/tx/0xed2c72ef1a552ddaec6dd1f5cddf0b59a8f37f82bdda5257d9c7c37db7bb9b08 (May 21)
https://etherscan.io/address/0x098b716b8aaf21512996dc57eb0615e2383e2f96 (May 21)
Victims of $600 Million Crypto Heist Will Be Reimbursed: Report (May 21)
Binance Seizes $5.8 Million From $620 Million Axie Infinity Hack (May 21)
@cz_binance Twitter (May 21)
@philrosenn Twitter (May 21)
Axie Infinity - Wikipedia (May 21)
https://axieinfinity.com/ (May 21)
Axie Infinity - Axie Infinity (May 21)
Trezor Issues Data Breach Warning As Users Cite Phishing Attacks (May 21)
The LUNA and UST crash — WTF happened? Will they recover? | The Market Report - YouTube (Jun 18)
The LUNA and UST crash — WTF happened? Will they recover? | The Market Report - YouTube (Jun 20)
Bored Ape Yacht Club Instagram, Discord Hacked, NFTs Worth $13.7 Million Stolen | Technology News (Jun 20)
The Crypto World Is on Edge After a String of Hacks - The New York Times (Nov 30)
How North Korea Used Crypto to Hack Its Way Through the Pandemic - The New York Times (Nov 30)
Timeline of Cyber Incidents Involving Financial Institutions - Carnegie Endowment for International Peace (Dec 12)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.