Axie Infinity is an NFT game that sees players breeding, trading and battling cartoonish axolotls. One of the primary draws of this game is that players are able to earn cryptocurrency as they play.

The game is owned and created by Sky Mavis which also built the blockchain the game uses known as the Ronin Network.

On Tuesday, Sky Mavis shared news that an exploit of the Ronin Network had seen 173 600 Ethereum and 25.5 million USDC drained from the Ronin Bridge. As of time of writing this represents $617 031 584 in value.

“Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO,” Sky Mavis wrote in a blog post.

“The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator,” the business added.

This DAO validator was created in November 2021 in a bid to help the Axie DAO deal with an “immense user load”. While Sky Mavis stopped using this DAO validator in December, access was not revoked, an oversight that has now cost the developer hundreds of millions of dollars.

What is incredibly shocking here is the fact that Sky Mavis only saw there was a problem when a user tried to withdraw 5 000 Ethereum from the Ronin Bridge.

While Sky Mavis states that AXS, RON and SLP tokens on Ronin are safe, that has done little to help ease concerns of users.

In response to a tweet announcing the exploitation of the network, users were critical of how long it took Sky Mavis to notice the exploit.

The firm says it is working with law enforcement officials, forensic cryptographers, and its investors to “make sure all funds are recovered or reimbursed”. How successful that endeavour will be remains to be seen.