How the NFT-based game Axie Infinity suffered one of the largest crypto heists in history

April 1, 2022, 10:41 AM UTC

Axie Infinity—a blockchain-based video game where players battle each other with NFT monsters—is one of the world’s most popular “play-to-earn” games. The brightly colored, fantasy fighting hit has become an economic lifeline for millions across Southeast Asia by rewarding its huge user base with in-game currency that can be converted into real world money.

“I found financial freedom,” Pablo, a Filipino teacher and one of Axie Infinity’s many ardent players, told Fortune in a recent feature story on the groundbreaking game. But Sky Mavis, the Vietnam-based developer behind the game, has learned that great economic power comes with great responsibility.

When Axie Infinity’s user base skyrocketed last year, the value of the its in-game cryptocurrency—Smooth Love Potion (SLP)—entered hyperinflation, forcing the developers to implement radical monetary policy measures that decimated players’ earning potential.

Then in late March, Axie Infinity suffered one of the world’s largest crypto heists. A hacker made off with roughly $620 million of the company’s crypto funds, delivering a fresh blow to the game’s millions of players, many of whom treat gameplay like a job.

David Hsiao, CEO of crypto magazine <em>Block</em> Journal, told Fortune the hack could “destroy all the companies involved,” just owing to its size. “This is one of the largest hacks ever,” says Hsiao, and Sky Mavis “may lack the revenue generation, insurance, and/or investigative abilities to track down the funds.”

How Axie got hacked

The story behind the hack begins in April 2021, when Sky Mavis transitioned the game off the Ethereum blockchain and onto a splinter “sidechain” called Ronin. The migration was supposed to make it easier for players to join the game and trade assets, like non-fungible tokens (NFTs), by making transactions faster and cheaper. And it worked.

Soon after the shift, the number of Axie Infinity players surged, reaching a peak of 2.5 million daily active users by the end of 2021, up from around 38,000 in April. The price of SLP—which Axie Infinity uses to reward players—skyrocketed too, spiking by 1,000% in the week after the game moved to Ronin.

SLP is useless in the real world, but Axie Infinity players can convert the virtual token into Ether—the native cryptocurrency of the Ethereum blockchain—and then cash out into fiat currency. That was, at least, until a hacker infiltrated the Ronin network on March 23 and stole the funds Axie Infinity uses to finance those cash-outs.

The Ronin network requires all transactions on its blockchain to be approved by five of nine “validators”—entities that sign off on any deposit or withdrawal from the network. That’s tiny compared with other blockchains: The main Ethereum blockchain has over 300,000 validators, while control over Ronin’s validators is limited to a handful of entities.

Four of Ronin’s compromised validators were controlled by Sky Mavis, while the fifth was controlled by the Axie DAO, the decentralized autonomous organization that represents Axie’s community. However, in November 2021, the Axie DAO allowed Sky Mavis to approve transactions on its behalf to help the developer handle “an immense user load.” The agreement ended a month later—yet Sky Mavis forgot to revoke its permission to sign for the Axie DAO.

That meant the hacker could easily gain control of the Ronin network just by breaking into Sky Mavis—and then approve transfers of roughly $620 million of cryptocurrency into his or her own accounts, draining the Ronin network of its Ether and other crypto reserves. 

Player earnings on pause

The game’s developers only discovered the hack a week later when an Axie Infinity player tried to cash out and the Ronin network didn’t have enough liquidity to cover the exchange.

In response to the hack, Sky Mavis temporarily suspended the Ronin blockchain, preventing anyone from depositing or withdrawing funds, and pledged to reimburse player losses. 

In a statement provided to Fortune after the hack, Yield Guild Games—a company that lends NFTs to Axie Infinity players in exchange for a share of their earnings from the game—noted that players “can continue to play Axie Infinity and accumulate their earnings,”—but won’t be able to “cash out their SLP via the Ronin bridge” until Sky Mavis reactivates the service.

Sky Mavis has yet to announce when it might reactivate Ronin, though said that new validators would be added to the Ronin blockchain “in the coming weeks.”

But the hack and Axie Infinity’s radical monetary overhaul have left some players questioning the value of their gameplay.

Never miss a story: Follow your favorite topics and authors to get a personalized email with the journalism that matters most to you.