The Axie Infinity Ronin Network hack shattered the lives of players. What is the story behind Axie Infinity Ronin Network hack? Here is the chronology.

Hacking in the blockchain community has become more frequent lately. One of them involves Ronin, a sidechain created on Ethereum for the well-known play-to-earn Non-Fungible Token game Axie Infinity. The catastrophe shattered the lives of players - lots of them are full-time gamers who used to seek livelihoods by exchanging in-game currency with fiat money.

The Story Behind Axie Infinity Ronin Network Hack

 

The Game

Axie Infinity is an online video game created by the Vietnamese studio Sky Mavis. Players accumulate Non-Fungible Tokens (NFTs) which represent axolotl-inspired digital pets known as Axies. Axies are able to breed and battle each other, while players can also trade Axies with each other.

Axie Infinity became popular due to its Ethereum-based in-game cryptocurrency system. Axie Infinity players can exchange Smooth Love Potion (SLP) - the currency used by Axie Infinity to reward players - for Ether (the cryptocurrency that runs on the Ethereum blockchain) and then cash it out into fiat money.

With millions of users, the game receives a $4 billion valuation by the end of 2021. However, subsequent development shows that its security could not keep up with its vast player growth.

 

The Migration

Sky Mavis moved the game from the Ethereum blockchain to a breakaway "sidechain" named Ronin in April 2021. By speeding up and lowering the cost of transactions, the migration was intended to make it simpler for players to sign up for the game and trade items like NFTs.

The migration succeeded, and Axie Infinity gamers rapidly increased after the change. The number of daily active users peaked at 2.5 million by the end of 2021, up from about 38,000 in April. In the week following the game's transition to Ronin, the price of SLP shot up 1,000%.

But a hacker broke into the Ronin network on March 23, 2022, and took the money Axie Infinity needs to pay for those cash-outs. How could it happen?

 

The Breach

The Ronin network demands that five of the nine "validators" accept every deposit or withdrawal on its blockchain. Compared to other blockchains, that is minuscule. FYI, there are more than 300 thousand validators in the main Ethereum blockchain.

Sky Mavis was in charge of four of Ronin's validators, while the Axie DAO (the Decentralized Autonomous Organization for the Axie community) was in control of the fifth. To help the developer deal with a "huge amount of user load," the Axie DAO permitted Sky Mavis to approve transactions on its behalf in November 2021.

A month later, the contract should have come to an end. But Sky Mavis neglected to renounce its authority to sign on behalf of the Axie DAO. Consequently, hackers who trespass into Sky Mavis could take over the Ronin network and authorize transactions to move the available liquidity into their own accounts, depleting the network's stocks of Ether and other cryptocurrencies.

 

The Aftermath

The hack wasn't discovered until a week later when an Axie Infinity user attempted to withdraw money and the Ronin network was unable to handle the transaction. By then, it was too late. Over 173,600 Ether (ETH) and 25.5 million USD Coin (USDC), with a combined value of almost $620 million, had evaporated. Around $400 million belonged to users.

Sky Mavis halted the Ronin blockchain due to the hack, making it impossible for anybody to make deposits or withdrawals. Players won't be able to cash out their SLP via the Ronin bridge until Sky Mavis restart the service, despite their assurance that they will make up player losses in the future.

Since then, the game's creators have enlisted the aid of several cryptocurrency exchanges and the crypto-analytic firms to follow the flow of cash and retrieve them. However, there is no good news yet.

The game's creators recently pledged to expand the validator nodes from 9 to 21. Additionally, they guaranteed that the Axie DAO will vote for the subsequent steps for its treasury if the stolen assets are not recovered within two years. Still, we have to wait and see whether the stolen funds can be recovered or not.

 

Another hacking incident with interesting details is the wormhole attack. See the complete story in "DeFi Hacked: What Went behind the Wormhole Attack?"