Learn » Web3 Security » The Axie Infinity hack that left Gaming in shock
axie infinity hack cryptocurrency

The Axie Infinity hack that left Gaming in shock

Table of Contents

Overview of the Axie Infinity Hack

On the 23rd of March 2022, Sky Mavis, the developer of the rave play-to-earn game Axie Infinity made an announcement that would shock the world of decentralized gaming — Its side-chain Ronin Network has been breached; technically, it is quite a lot to process.

In this piece, we are going to go over the hack that saw over half a billion moved into hackers’ wallets, this is one of the largest breaches in the history of cryptocurrency. To understand the nature of the breach, we will go over the nitty-gritty of the hack in a bid to understand what could have been different and how this will further influence the gaming world:

Axie Infinity has been referred to as one of the early successes in the world of blockchain gaming, popularly referred to as play-to-earn. These games use decentralized protocols to track ownership of in-game items to simplify exchange for players and help them with the resale of these assets, most of which are NFTs and tokens. To play Axie Infinityplayers have to purchase at least three NFTs of playable in-game Axies on the open market or lease them from owners. Playing with these Axies makes players earn Smooth Love Portions (SLP). This can power up Axies or it can be placed on the in-market space to be purchased by others.

The main reason behind is to see the speed on the gaming interface get faster and to avoid paying gas fees, the payment on every transaction that takes place on the Ethereum blockchain that Axie Infinity moved from the Ethereum public blockchain to a parallel private blockchain running on Ethereum.

In March of 2020, Axie launched its side-chain, Ronin. It runs on the proof-of-authority rather than the popular proof-of-work that Ethereum uses. Proof-of-authority routes transactions through a set of trusted validators who will confirm any transaction that will take place on the sidechain. Each of the validators or most of the validators have to give permission to any transaction. There are also mechanisms in place to punish actors who go rogue in validating orders.

Ronin’s proof-of-authority system, “centralized in just nine validator nodes”, is the key to its ability to provide a higher volume of transactions at a lower cost than the sprawling Ethereum network. It also ended up being Ronin’s undoing, in this case.

How the Axie Infinity Hack Occurred? What really happened?

The Ronin side-chain has nine validator nodes. These nine authorized wallets are usually controlled by institutions; the majority of them need to sign a transaction for it to be confirmed. The issue with Ronin was that 4 of the 9 multisig keys were held by Sky Mavis, which in itself is a centralized entity and the studio behind Axie.

All the hacker had to do (not meaning that it was easy…) was hack the Sky Mavis centralized server and they had 4 of the 9 validator wallets in their care. Now, this is where the twist comes in. With the four validators, they will still need one more validator to sign off on a transaction before it can happen. However, they were in a bit of luck.

Axie DAO Validator, which is one of the five other independent validators, loaned their multisig to Sky Mavis in November. The reason was to help Sky Mavis validate transactions faster as game players increased.

While Axie DAO Validator received control over the multisig later, the details were not taken off the Sky Mavis centralized server. The hackers also got a hold of this. Now, they can validate any transaction they want.

The hackers took out over $625 million in funds. This is a huge amount of money and the hacker already started to launder the stolen ETH through Tornado cash to ensure anonymity.

Is Axie Infinity Hack could have been prevented?

This hack, one that moved this much money, could have been prevented. While Ronin is already working with ChainalysisBinance as well as law enforcement, this hack shouldn’t have happened in the first place. The first way to have prevented the hack would have more decentralisationCostly but way more secure.

Like Ronin admitted in their statement, “As we’ve witnessed, Ronin is not immune to exploitation and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats. We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks.”

This hack could have been prevented if the details of the last verification node that enabled the attack to be carried out — The Axie DAO validator details have been wiped off the Sky Mavis centralized server; this attack would have ended up as an attempt and not one that would have ended up moving over half a billion.

Binance has also paused, for the moment, the Ronin bridge, which is to ensure that no other attack would take place. The linkage bridge will be opened up again once it is sure that no further funds could be drained.

Axie Infinity Hack: Lessons Learned and Industry Implications

As hackers get wiser and more cunning, DeFi and Play to Earn platforms must stay ahead of the learning curve in order to stay secure and keep the funds of their patron. In that case the lack of decentralization is the main reason of this hack. A lot of protocols are scarifying decentralization to offer cheaper fees and faster transaction, always in detriment of security.

Play to Earn games and blockchain in general is still an early tech but this hack shows that compromising on security almost always end up in a disaster at the cost of the participants.

Maxime Paul


The Axie Infinity hack was a significant security breach where attackers exploited vulnerabilities in the blockchain-based game’s system, resulting in a substantial financial loss.

The Axie Infinity hack was a significant security breach where attackers exploited vulnerabilities in the blockchain-based game’s system, resulting in a substantial financial loss.

Users were impacted through potential losses of in-game assets and cryptocurrency, raising concerns over security and trust in blockchain gaming platforms.

In response to the hack, enhanced security protocols have been implemented, including audits and updates to the platform’s infrastructure to prevent future breaches.

In the Axie Infinity hack, the attackers managed to withdraw over $625 million in funds, marking it as one of the largest thefts in the history of decentralized finance platforms.

Atato custody, an all in one solution for your digital assets security

Add any token, add any chain, MPC security, Dapps integration

Atato custody, an all in one solution for your digital assets security

Add any token, add any chain, MPC security, Dapps integration