Published on: 29/06/2022

Axie Infinity returns after $625 million cyberattack

The cryptocurrency pay-to-win game Axie Infinity has reopened following a devastating $625 million cyberattack. The game will continue to employ the Ronin network, which was revived following one internal audit and two external audits by blockchain security firms Verichains and Certik.

Sky Mavis, the development company team behind Axie Infinity and the Ronin blockchain that powers the game, has announced that players can now make deposits and withdrawals through Ronin.

Previously, Ronin was hacked after attackers obtained a signature by exploiting a back channel in Sky Mavis, an Axie creator, and the Remote Procedure Call node, allowing them to “forge fake withdrawals” with compromised secret keys.

In an official blog post, the company described a new “circuit-breaker system” that flags “large, suspicious withdrawals”, as well as withdrawal limits and human reviewers. It also informed players that a new land-securing feature would be available this week, allowing virtual landholders in the game to earn passive income. However, it remains to be seen whether these changes will restore confidence in the game.

Meanwhile, Axie Infinity players are warned not to send money directly to Ronin Bridge’s smart contract address in the future. “The Ronin Bridge should only be accessed and used for deposits/withdrawals through the Ronin Bridge UI,” the company wrote in its post. “Any funds sent directly to the Ronin Bridge’s contract addresses will be lost forever.”

Cyber attack and refund process

In March, a group of hackers stole nearly 173,600 Ethereum and nearly 26 million USDC (approximately $26 million) from the game’s network. Since then, Sky Mavis has been working to improve its safety procedures and acquire more client funds, so the Ronin Bridge has been inoperable.

The invasion went undetected for six days until a customer attempted to withdraw funds and was unable to do so. Sky Mavis blamed a former employee for a spear-phishing attack, as well as a lack of a monitoring system to monitor large outflows.

Following an investigation, the US Treasury Department linked the cyberattack to the North Korean hacking group Lazarus and sanctioned the pockets that held the stolen cryptocurrency. Sky Mavis appears to have kept its promise to compensate players affected by the theft. Last week, they officially confirmed that they would begin refunding victims of the hack.

Despite claiming that customers’ funds are “completely backed up 1:1 by the brand new bridge”, Sky Mavis has yet to compensate the Ronin community for a significant portion of the stolen funds. The company says Ronin is now down 71,600 ETH ($85.8 million) and 25.5 million USDC ($25.5 million) after pooling funds from Sky Mavis’ founding members and receiving $150 million in funding from a variety of corporations, including Binance. Sky Mavis claims to have fully repaid these obligations and will reimburse its users for $216.5 million.

However, the refund excludes the 56,000 wETH ($67.2 million) taken from the Axie DAO (decentralized autonomous group) Treasury, which votes on the Axie neighborhood’s decisions. The DAO has warned Sky Mavis it would hold a vote on the “next steps” should things fail to improve in the coming two years, with the company saying it is working with law enforcement to recover the funds.