Axie Infinity is the biggest gaming platform that rewards users for playing games.
Ronin Network, which is also owned by Vietnamese parent company Sky Mavis, allows players to exchange the digital coins they earn in Axie Infinity with other cryptocurrencies like Ethereum.
On March 29th, a newsletter from the Ronin network stated that 173,600 ether tokens and 25.5 million USD coins worth nearly $620 million were drained after attackers have managed to compromise 5 validator signatures.
How the Ronin network works:
Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO.
About the attack:
The hack traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allow listed Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allow list access was not revoked.
Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC.
While the investigations are ongoing, at this point Ronin is certain that this was an external breach. All evidence points to this attack being socially engineered, rather than a technical flaw.
Key security takeaways:
1. Social engineering awareness and prevention from SE attacks.
2. Appropriate revoke strategies should be implemented for the DAO voted functions/permissions.