On 31st March, BBC reported Ronin Network- the company owning Axie Infinity, missing $615 worth of crypto currency. According to the report, the company narrates a hacker stealing cryptocurrency worth $540m on 23rd March. Ronin officials however noticed the massive heist only on Tuesday after a customer complained about a problem in money withdrawal.
According to a blog post on Ronin Network’s official newsletter, two transactions were made in the Ronin Wallet on 23rd March which fetched 73,600 Ethereum (ETH) and 25.5m USDC. The attackers first hacked private keys and then used them to enable fake transactions.
On the recovery of lost currency, Ronin Network stated that it’s collaborating with “law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed“.
Elliptic- a cryptocurrency investigator has already tracked the activity of the hacker. Reportedly, the hacker has attempted money laundering of worth $16m ETH through three centralized exchanges.
The crypto investigator finds out that the hacker first converted USDC to ETH through decentralized exchanges (DEXs). DEXs offer the hackers the advantage of absence of Anti Money Laundering (AML) and Know you Customer (KYC) checks.
Crypto hack happened from poor security compliance
Ronin Network states the reason for its crypto hack as ‘poor compliance to the security procedures’. The company had loosened its security compliance to incorporate “immense user load” back in November 2021.
Ronin Network uses 9 validator nodes, out of which a minimum of 5 validators are needed to allow a transaction. These five nodes include four Ronin Nodes, and one decentralized node which is controlled by Axie DAO (Decentralized Autonomous Organization).
Here’s where the mistake happened. When the Ronin’s user base increased in November 2021, it had added its nodes in allowlist of Axie DAO validator to validate transactions on its behalf. Although it was able to adjust the huge user base by December 2021 it did not change the allowlist status.
Hackers knew that with the decentralized node it was impossible to validate malicious transactions, therefore they first accessed the Ronin Nodes and used Ronin RPC (Remote Procedure Call) node to get the signature of Axie DAO.
Economy expert Frances Coppola commented on careless security policy saying: “We’ve seen so many hacks and exploits caused by – to be blunt – frank carelessness and lack of concern for the safety of people’s funds”.
Axie Infinity is highest rated Ethereum Game
Axie infinity is a fun game, social network and earning platform accessed by millions of users around the world. The platform allows players to buy cartoon pets called Axies and participate in Battles in their world: Lunacia.
Users are rewarded with in-game resources called Axie Infinity Shrads (AXSs) and Soft Love Potions (SLPs). These tokens could then be traded with cryptocurrency using Binance or Uniswap.
In addition to playing to earn, Axie Infinity also allows users to create games and other experiences viewed as Non Fungible Tokens NFTs and which could be traded within the game.
Unfortunately, thousands of young crypto enthusiasts have lost their money in the heist which they earned through skilled gaming and NFT creation.
Crypto hacks history
Elliptic reports the crypto hacks over the last decade based on the dollar value at that time. Company name along with time of hack is mentioned alongside.
- $325m – Wormhole, February 2022
- $470m – Mt Gox, February 2014.
- $532m – Coincheck, January 2018
- $540m – Ronin Bridge, March 2022.
- $611m – Poly Network, August 2021
The largest hack of cryptocurrency history is the Poly network hack in which the hacker made off with $611m worth of tokens. Quite ironically and fortunately, the hacker returned $400m back to polynetwork keeping the remaining $200m to themselves.
Polynetwork had offered the hacker a $5m bounty and an opportunity to join the company as CSO- Chief Security Officer if they returned the user funds.
Given the decentralized nature of cryptocurrency trading, Stake Bank of Pakistan recently announced its decision on crypto trading saying it has not legalized any tender on issuance of virtual currencies. The financial regulator is concerned on the non traceability of transactions which might encourage malicious activities across various areas.