Sky Mavis, the company behind the popular blockchain game Axie Infinity, announced it was the target of a $625 million hack. Taking advantage of vulnerabilities in the Ronin sidechain implementation, the hacker has shimmied away with around 173,600 ETH (valued at $594.6 million) and $25.5 million in U.S. dollars. Experts expect this to be one of the biggest hacks in the relatively short-lived history of cryptocurrency when all cards hit the proverbial table, but it's far from the first.
Axie Infinity is so popular that it's the number one marketplace for NFT collectibles. That puts it ahead of famous marketplaces such as OpenSea, which saw the introduction of the popular Bored Ape Yacht Club (BAYC) NFTs — of which the least expensive one currently goes for ~130 ETH ($356K).
Sidechains (also referred to as L2 chains) are solutions built alongside L1 chains such as Bitcoin, Ethereum and Algorand. These solutions help skirt blockchain congestion by offloading transactions that would occur on the L1 chain to the speedier, usually custom-built sidechains. Also known as Bridges or Wormholes, these allow users to bring their L1 chain funds (in this case, Ethereum) to other blockchain ecosystems. Crypto moved to these chains is locked as collateral, and an equivalent value is minted in whatever token the chain uses to operate. Being relatively stationary targets whose locked value tends to only increase over time, Bridges are particularly attractive targets for bad actors.
The exploit was carried out by first hitting the Ronin sidechain. The Ronin sidechain functions much like other cryptocurrencies, with trusted nodes validating transactions. However, they're still subject to 51% attacks: Should more than half the network be compromised, actors can then write whatever transactions they want to the chain, which will be confirmed by the majority of the (hacked) validators.
In this case, Ronin had only nine validator nodes, of which the attacker compromised five. This was more than enough to divert ungodly amounts of funds. It is a major reason why decentralization is such an essential factor for blockchain technology: The more nodes, and the more decentralized, the higher the difficulty of performing attacks such as these (at least theoretically).
Sky Mavis swiftly locked all network transactions and has increased the validation requirements from five nodes to eight nodes out of the full nine as a stopgap for any similarly exploitable vulnerabilities that still haven't been plugged. The Ronin Bridge remains inoperable, and other chains (such as Binance) have already disabled their own bridges to Ronin.
"We are in touch with security teams at major exchanges and will be reaching out to all in the coming days," the company said. "We are in the process of migrating our nodes, which is completely separated from our old infrastructure."
Sky Mavis also announced that it's working with Chainalysis to monitor the stolen funds, which currently appear to be sitting idly in the identified attacker's wallet. Unfortunately, that could be the case for a while. In all likelihood, and considering the apparent silence from the hackers, Sky Mavis won't have the same luck as L2 chain Polygon, which saw an equally impressive $611 million hack in August of 2021. Almost the entirety of the stolen funds was later returned, but not before the hacker compared himself to Batman.
