We may have just witnessed the largest cryptocurrency heist ever, depending on the price of Ethereum.
A hacker stole 25.5 million USDC and 173,600 Ethereum from the Ronin sidechain on Wednesday, March 23rd. Ronin acts as the foundation for the popular play-to-earn game Axie Infinity.
The current US dollar value of the stolen funds totals between $610-625 million, directly rivaling a previous heist of a different sidechain network called Poly Network which lost users approximately $600 million in crypto.
The company that created Axie Infinity, Sky Mavis, said in a lengthy substack post that it has swiftly acted to close the exploit and pursue the attacker. It closed deposits and withdrawals to the Ronin network to prevent any further losses and is working to change its entire infrastructure.
Luckily for Mavis and Ronin users, the attacker doesn’t seem to be great at staying anonymous. A small portion of the funds have been moved to other Ethereum wallets. Some were even sent to centralized exchanges (CEXes) like FTX and Crypto.com, without attempting to launder the funds.
CEXes require users to provide substantial personal information that would make the hacker easy to find, assuming it’s a legitimate account. Even if the account is stolen from someone else, it opens up an unnecessary paper trail. Thanks to moving the money, the culprit may have made law enforcement’s job a whole lot easier.
A Painful Lesson
Axie Infinity launched in 2018 and became the first widely popular NFT-based play-to-earn game. It also pioneered using a sidechain to fix all the problems a play-to-earn game would face on a network like Ethereum.
In other words, instead of building on an existing blockchain, they created their own.
They built Ronin to facilitate the large volume of transactions the game would need at a low cost. It worked quite well for a long time, but now that workaround has proven far more expensive.
The Ronin exploit reinforces a few lessons for the cryptocurrency community that most of us have heard many times before. Three of the most important metrics of a blockchain are scalability, decentralization, and security.
The best chains maximize all three, but it’s extremely difficult to do so.
At the moment, Ethereum is the king of multipurpose blockchains because of its fantastic decentralization and security. However, it struggles to scale to meet the demand, causing network congestion and high fees.
Ronin’s main vulnerability was its centralization, which tremendously diminished its security. A transaction on Ronin only has to be confirmed by five of its nine validator nodes.
By contrast, after Ethereum is upgraded later this year, every transaction must be confirmed by half of its almost 300,000 validators.
Ronin isn’t unique in this concept either; many other chains like Binance Smart Chain only have single or double digit numbers of validators too. Sky Mavis controlled four of nine of these nodes, almost a majority.
All the hacker needed to do was break into Sky Mavis’s systems.
How the Hacker Exploited Ronin’s Security Vulnerabilities
The culprit stole the cryptographic signature of each of the nodes under the company’s control. If that had been all the hacker could access, though, the exploit still would have been impossible to pull off.
Unfortunately, it wasn’t.
A further failure of security and centralization made it relatively easy to find the cryptographic signature for the fifth validator node, owned by the community’s decentralized autonomous organization, Axie DAO.
Once the hacker had control of the five validators, it proved easy to siphon off the $610+ million of Ethereum and USDC. No one even noticed for six days because the attacker had control of the network and could make it seem like all the funds were still there.
The Future for Axie Infinity and the Hacker
We don’t know if Axie Infinity can recover from the massive hack, but it at least seems possible that the hacker will be caught and some of the funds will be recovered.
Hopefully this disaster will teach others a good lesson: A lack of scalability worsens the user experience, but a lack of security or decentralization can be deadly.
Most hackers go for the biggest payout, but anyone can be hacked or phished out of their funds. Check out Blockster’s guide on how to keep your cryptos and NFTs safe.
Want to learn more about Axie Infinity pre-hack? Read our article on the Crypto Casino: The Future Of Play to Earn Crypto Games.