Sky Mavis says it will increase the required number of nodes to eight for transactions, and it will reopen the Ronin bridge “at a later date” once it’s certain no more funds can be drained. After compromising five of the nine validator nodes, the attacker could effectively override any transaction security and withdraw whatever funds they liked. In addition to compromising four of Sky Mavis’ own nodes, the attacker exploited them to get access to one managed by the community-owned Axie DAO. The system was discontinued in December, but the permissions that allowed it were never revoked. It’s a potential vulnerability for blockchains that are touted as both cheaper and more environmentally friendly than Ethereum.Īccording to Sky Mavis, the Ronin attack was possible partly because of a shortcut the company had taken to relieve an “immense user load” on its network in November of last year - months after the game exploded in popularity in the Philippines and other countries where players relied on it as a full-time job. Using a smaller number of nodes is faster and more efficient - but as the hack shows, it can create security risks if a majority of the nodes are compromised. The nodes review new transactions to confirm that their inputs and outputs match and that authorization signatures are valid, rejecting any transactions that don’t conform. Validator nodes are a feature of proof-of-stake blockchains like Ronin, which are less energy intensive than proof-of-work systems like Bitcoin and Ethereum. Sky Mavis says it’s “working with law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds,” calling that its “top priority.” (Disclosure: Adi purchased three axies for a total of $105 last month in order to report on the game axies currently sell starting at around $25 apiece.) But the freezing of withdrawals and deposits effectively locks out many new players, and the hack leaves the fate of other user funds on the Ronin blockchain in question. Sky Mavis says the “axie” NFT tokens players must buy to access Axie Infinity haven’t been compromised, nor have the SLP and AXS in-game cryptocurrencies used in battling and breeding the pokémon-like cartoon axolotls. The transfer was discovered today - nearly a week later - when another user attempted to withdraw 5,000 Ethereum through the bridge. That let the attacker quietly withdraw large quantities of Ethereum and USDC. Users could deposit Ethereum or USDC to Ronin, then purchase non-fungible token items or in-game currency, or they could sell their in-game assets and withdraw the money.Īccording to Sky Mavis, an attacker used hacked private security keys to compromise the network nodes that validate transfers to and from the Ronin blockchain. The attack focused on the bridge to Sky Mavis’ Ronin blockchain, an intermediary between Axie Infinity and other cryptocurrency blockchains like Ethereum. Sky Mavis says it’s working with law enforcement to recover 173,600 Ethereum (currently worth around $600 million) and 25.5 million USDC (a cryptocurrency pegged to the US dollar) from the culprit, who withdrew it from the network on March 23rd. Ronin and Axie Infinity operator Sky Mavis revealed the breach on Tuesday and froze transactions on the Ronin bridge, which allows depositing and withdrawing funds from the company’s blockchain. Roughly $625 million worth of cryptocurrency has been stolen from Ronin, the blockchain underlying popular crypto game Axie Infinity.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |