- Axie Infinity's Ronin Network said in a blog post Tuesday morning that it lost around $615 million in USDC (a U.S. dollar pegged stablecoin) and ethereum.
- That surpasses the $611 million hack of the DeFi protocol Poly Network in August 2021.
- The security breach was confirmed by Axie Infinity's official Discord and Twitter accounts, as well as by Ronin Network.
The popular blockchain game Axie Infinity, which lets users earn money as they play, is connected to what could be the largest decentralized finance, or DeFi, hack in history.
Axie Infinity's Ronin Network said in a blog post on Tuesday that it lost around $615 million in USDC (a U.S. dollar pegged stablecoin) and ethereum, surpassing the $611 million hack of the DeFi protocol Poly Network in August 2021.
The security breach was confirmed by Axie Infinity's official Discord and Twitter accounts, and by Ronin Network, which underpins the game. DeFi networks aim to recreate traditional financial systems like banks, but with cryptocurrency. They mostly run on the ethereum blockchain.
The incident was discovered Tuesday after a user was unable to withdraw 5,000 ether. But the attack took place on Mar. 23, when exploiters used hacked private keys to forge fake withdrawals, the blog post said, adding that other key validator nodes were compromised.
Ronin said the breach resulted in 173,600 ethereum and 25.5 million USDC being drained from the Ronin bridge in two transactions, which can be viewed on Etherscan. The project lost around $615 million at current prices.
Crypto holders often do not operate exclusively within one blockchain ecosystem, so developers have built cross-chain bridges to let users send cryptocurrency from one chain to another. In this case, the Ronin bridge connects Axie Infinity to other blockchains such as ethereum.
Using the bridge, players could deposit ethereum or USDC to Ronin and use that to purchase non-fungible tokens (NFTs) or in-game currency. They could then sell their in-game assets and withdraw the money.
Analysts at Blockchain Intelligence Group said the stolen money is on the move. Thus far, close to $17 million in ethereum has already been transferred to exchanges, including FTX and Huobi, the firm said.
"Bridges are very hard to get right and the attack surface is significantly greater than in normal DeFi projects," said Adrian Hetman of Immunefi, a bug bounty and security services platform for the web3 industry, in an email.
Hetman said bridges are "still an area of development" and the industry hasn't yet established best practices for their use.
Vitalik Buterin, the creator of ethereum, previously made the case that bridges won't be around much longer in crypto, in part because there are "fundamental limits to the security of bridges that hop across multiple 'zones of sovereignty.'"
Axie Infinity is a blockchain-based game that lets users collect and breed digital creatures called "Axies." In contrast to traditional pay-to-play games, Axie Infinity also allows players to earn money by selling their Axie NFTs to other users.
Axie Infinity creator Sky Mavis said it's committed to ensuring that all of the drained funds are recovered or reimbursed. For now, users are unable to withdraw or deposit funds.
Ronin said it's "working with law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds."