About $615 million in cryptocurrency has been stolen from the Ronin Network, the blockchain platform that runs the popular play-to-earn game Axie Infinity.
Approximately 173,600 Ethereum, currently valued at $590 million, was stolen, along with $25.5 million in USDC, Ronin said today. USDC is a stable coin pegged to the U.S. dollar. Based on the current exchange rate, the hack is the largest in decentralized-finance history, surpassing the theft of around $611 million from Poly Network in August.
According to the Ronin Network, the security breach was first detected today but dates back to March 23. On that day, Ronin validator nodes and Axie DAO validator codes were compromised. The attacker used hacked private keys to forge fake withdrawals. The compromise was discovered only after a user complained of being unable to withdraw 5,000 Ethereum from an account.
The access from the attack was though compromised validator signatures, the plural being the key. To recognize a deposit or withdrawal, five out of the nine validator signatures are needed. The attacker managed to obtain control over four signatures belonging to Sky Mavis Pte. Ltd., the parent company of Axie Infinity, and a third-party validator run by Axie DAO.
It’s an interesting compromise, since the system was designed to avoid a single validator key gaining access to the network, but the attacker still managed to find a way to obtain the five out of nine keys required.
The Ronin Network is actively taking steps to guard against future attacks, including increasing the validator threshold from five to eight. The network is also in touch with security teams at major exchanges and is working directly with government agencies “to ensure the criminals get brought to justice.”
What isn’t clear is whether the losses, presuming some or all of them cannot be recovered, will be covered. “We are in the process of discussing with Axie Infinity/Sky Mavis stakeholders about how to best move forward and ensure no users’ funds are lost,” the network said.
It’s not impossible that some or all of the funds could be recovered. It’s also not clear whether the hack was for personal greed or someone trying to prove a point about security.
When Poly Network was hacked in August, the person behind the compromise came forward and said that the motivation for the hack was “for fun” and that the funds were stolen to keep them safe. The hacker, going by the name of “Etherhood,” subsequently returned the stolen funds.
Ronin Network will be hoping that they may be facing a similar situation. As of now, no hacker or hacking group has come forward to claim responsibility.