According to reports the NFT themed gaming portal Axie Infinity was swindled to the tune of almost half a billion in ETH and USDC, when a skilled hacker got past their security protocols. This casts a huge shadow on not just NFT gaming but also causes serious concern amongst crypto investors.

What is Axie Infinity and the “Ronin” which got hacked ?

Axie Infinity is an NFT based gaming platform wherein its central game characters called “Axie” is an Ethernet Blockchain (ERC721) token represented as a unique digital creature that can be used in a variety of games. So far, its gaming model features battles and kingdom-building centered around ownership of in-game land plots. Land and items (artifacts) are also ERC 721 tokens. Small Love Potions (SLP) and Axie Infinity Shards (AXS) are ERC 20 tokens native to the Axie ecosystem.

The Ronin Sidechain

Playing on Axie Infinity earlier required quite a bit of preparation typical to a blockchain-based game. This would include buying the cryptocurrency Ether, setting up the MetaMask wallet, and the actual purchase of Axie, which could be made expensive by high transaction or gas (Ethernet Transaction) fees. Another pain point prevalent in blockchain, was the network congestion. To address this, the Axie Infinity team had built Ronin, an Ethereum sidechain specifically for the game. It acts like a personal, faster transaction channel for the Axie Users that doesn’t charge any transaction fees. The storage, access and control of any funds deposited or authorizing withdrawals or transfers was entrusted on 9 special nodes and their admin teams experienced in crypto security.

How did the crypto heist go down?

According to the official version on March 23rd, an attacker somehow got control of 4 authentication nodes and of their authentication keys. But that was not enough, as you need 5 keys to access funds. So the hacker accessed another server, exploiting a weakness in its transaction allow list. Once in control of 4 authentication nodes and exploiting the permission weakness on the 5th one, the hacker simply waltzed into the Ronin Transaction system, made 2 withdrawals totaling almost half a billion. No alarms went off, infact nobody noticed for a week. That apart from the security breach, itself looks particularly negligent or a case of grave oversight in financial governance.

The aftermath

RON, Ronin's native token, fell 20 percent to $1.84 after the news, according to CoinGecko. Refreshing the tragic memory of Poly Network's $611 million crypto theft that took place last year, the shockwave from this incident reminded everyone how vulnerable DeFi apps can be to hacks. The Ronin Bridge and Katana's Automated Market Marker (AMM) have been suspended to preserve the records and aid in investigations.

"We are working with law enforcement officers, forensic cryptographers and our investors to make sure all funds are recovered or recovered," said Skye Mavis, the creator of Axie Infinity.