Axie Infinity Developers ‘Made Some Trade-offs’ That Enabled $625M Ronin Breach
The game’s creator, Sky Mavis, has raised $150 million to reimburse users affected by the theft
Blockworks Exclusive art by axel rangel
key takeaways
- Hackers breached the Ronin Network for over $625 million on March 29
- On Wednesday, Binance said that it has fully resumed withdrawals and deposits on the Ronin Network
A week after one of the largest cryptocurrency hacks to date — a $625 million breach on the Ronin Network bridge — Sky Mavis, the company that built it, acknowledged that its haste to grow the platform’s user base may have caused it to cut corners on security.
The Ronin Network is an Ethereum-linked sidechain used for blockchain game Axie Infinity. The bridge connecting it to the Ethereum mainnet was exploited, and an attacker drained 25.5 million USDC and 173,600 ETH on March 29, totaling about $625 million.
“While racing for mainstream adoption, we made some trade-offs that ended up leaving us vulnerable to this sort of attack,” Axie Infinity said in a blogpost. “It’s a lesson that we’ve learned the hard way.”
Sky Mavis announced a $150 million raise, led by Binance, to reimburse affected users. Other contributors to the round include Paradigm, Animoca Brands, Dialectic, Accel and Andreesen Horowitz.
“Sky Mavis is committed to reimbursing all of our users’ lost funds and implementing rigorous internal security measures to prevent future attacks,” Trung Nguyen, chief executive of Sky Mavis, said in the Wednesday statement.
On Wednesday, Binance said that it has fully resumed withdrawals and deposits on the Ronin Network after suspending them last week.
“In order for the global ecosystem to continue thriving and maturing, it is imperative that we work together, especially when it comes to security, which is our strong suit,” Changpeng “CZ” Zhao, chief executive of Binance, said in a statement.
Of the stolen ether, more than 170,000 ETH remains in the attacker’s wallet, and thousands of ETH have been transferred to Tornado Cash, a privacy tool for Ethereum.
“Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed,” per the breach’s announcement. “The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO.”
The Ronin Network bridge will reopen, Sky Mavis said, once it has undergone significant audits and security upgrades, which can take several weeks.
Among the security improvements, Sky Mavis will increase the validator group to 21 validators within the next three months, which will be split among various stakeholders including partners, community members and long-term allies.
Get the news in your inbox. Explore Blockworks newsletters:
- The Breakdown: Decoding crypto and the markets. Daily.
- Empire: Crypto news and analysis to start your day.
- Forward Guidance: The intersection of crypto, macro and policy.
- 0xResearch: Alpha directly in your inbox.
- Lightspeed: All things Solana.
- The Drop: Apps, games, memes and more.
- Supply Shock: Bitcoin, bitcoin, bitcoin.
