Axie Infinity Loses $625 Million In Biggest DeFi Hack On Record

Attack Started One Week Ago

Sky Mavis – the studio behind Axie Infinity – said the attack started on March 23, almost a week before being noticed yesterday, when a user was unable to withdraw 5k ETH from the bridge. The company is now reportedly in talks with several government agencies to identify the exploiter.

The attack occurred after four Ronin validators and one Axie DAO third-party validator were compromised:

Sky Mavis’s Ronin chain currently consists of nine validator nodes. In order to recognise a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin validators and a third-party validator run by Axie DAO. 

Ronin Network statement

The attacker drained US$25 million USDC and 173.600 ETH (nearly US$600 million) from the bridge that connects Ronin with the Ethereum mainnet by using “hacked private keys” to execute the exploit. In doing so, they were able to forge two fake withdrawals (transactions 1 and 2) and steal the funds.

Biggest Hack in Crypto History by Now

This is now the largest hack in crypto history, narrowly exceeding last year’s US$600 million Poly Network hack, but still significantly larger than the US$326 million Solana wormhole hack earlier this year.

Sky Mavis is said to be working with Chainalysis to monitor the stolen funds, most of which are still in the hacker’s wallet. Additionally, the company stated that it would migrate its entire node infrastructure, so it might take a while for things to get up and start running again. Also, as a result of the attack, both Ronin and Katana DEX are temporarily halted to avoid further attack vectors.

Jeff Zirlin, co-founder of Sky Mavis, described the hack as “one of the biggest in history” at the recent NFT LA conference: