Axie Infinity developer Sky Mavis announced Tuesday a massive breach of its Ronin cryptocurrency sidechain. An attacker used “hacked private keys” to break through Ronin’s validator network, Sky Mavis says, transferring 173,600 ethereum (worth approximately $594 million at current rates) and $25.5 million in USDC stablecoin as part of one of the largest breaches in the history of cryptocurrency.
To understand the nature of that breach, let us take you on a crash course in the short history of Axie Infinity and the complex web of crypto standards and technologies that helped allow the exploit to happen.
So you can, like, make money by playing a game?
Axie Infinity has been cited as one of the early success stories in so-called blockchain gaming. Such games use decentralized protocols to track ownership of certain in-game items and generally let players have some control over the resale of those items.
To play Axie Infinity, players need to purchase at least three NFTs of playable in-game Axies on the open market (or borrow them from owners). Playing with those Axies then earns players some Smooth Love Potions (SLP), which can power up Axies or be sold to other players as a commodity, creating a “play to earn” loop.
Last year, there was enough hype and money sloshing through this system that some players in the Philippines were able to make a decent local wage simply by playing the game as their full-time job. But that early success helped attract more players who hoped to hop on to the play-to-earn train, which flooded the market with SLPs.
With few new buyers coming in to purchase all those SLPs, the value of the potions (in dollars) has cratered roughly 80 percent since early November and a whopping 95 percent from its peak last May, according to CoinGecko. As the SLP’s value has cratered, so, too, has the number of daily active Axie Infinity players and the number of new players buying fresh Axies.
(For much more on how the Axie economy functions, and how it falls apart without new players who want to buy SLPs, read through this lengthy report from consultancy Naavik.)
The weak link in the (side)chain
While Axie Infinity originally ran directly on the ethereum blockchain, the high transaction costs and slow transaction speeds on that network quickly became untenable as the game grew. To get around those fees, Sky Mavis in 2020 started to use a sidechain—a parallel private blockchain running on top of ethereum that could bypass the need to pay ethereum “gas” for each and every transaction.
Sky Mavis initially partnered with Loom Networks for this sidechain functionality. In March 2020, though, the company broke that partnership and introduced its own sidechain called Ronin.
Unlike the distributed proof-of-work ethereum blockchain, the Ronin sidechain operates on a much more centralized proof-of-authority system. Rather than consulting the entire distributed blockchain network to confirm transactions, this proof-of-authority system runs its transactions through a small set of trusted, handpicked “validator” nodes. Each node stakes some of its reputation on validating each transaction, theoretically punishing lone actors that try to game the system.
Centralized exchanges like Binance and decentralized exchanges like Katana allow users a “bridge” to transfer their in-game assets back and forth between Ronin and the main ethereum blockchain. But because those transfers can happen more occasionally and at scale, the transaction costs end up much lower.
Ronin’s proof-of-authority system, centralized in just nine validator nodes, is the key to its ability to provide a higher volume of transactions at a much lower cost than the sprawling ethereum network. It also ended up being Ronin’s weak point, in this case.
As Sky Mavis explains, the unknown attacker was able to breach Sky Mavis’ systems and gain full access to four validator nodes that the company controls. The attacker was then able to use a leftover backdoor in those nodes to gain control of another validator controlled by the decentralized Axie DAO.
With that fifth validator node, the attacker could then provide a majority of validation signatures on any transaction it wanted, leading to the fraudulent transfers.
The fallout
While the attack happened last Wednesday, Sky Maven said it didn’t become aware of the problem until early Tuesday, when a user tried and failed to transfer 5,000 ETH from the network. “The fact that nobody notices for six days screams aloud that some structure should be in place to watch illicit transfers,” Securitize Capital head Wilfred Daye told Bloomberg.
Sky Mavis says that all user tokens on the Ronin network “are safe right now” and that the company is “working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed.”
For now, though, legitimate users are unable to withdraw or deposit funds to or from the Ronin network on either Katana or Binance. “The bridge will be opened up at a later date once we are certain no funds can be drained,” the company said.
And Sky Mavis also says that it is “in the process of discussing with Axie Infinity / Sky Mavis stakeholders about how to best move forward and ensure no users’ funds are lost,” which sounds a little uncertain.
In the hours after Sky Mavis’ Tuesday morning announcement of the breach, the price of Ronin’s $RON governance token fell nearly 22 percent to a new all-time low, according to CoinGecko. Even before that dip, though, $RON’s price had already fallen 36 percent since it was first introduced in late January.
To help prevent similar attacks in the future, Sky Mavis said it will now require eight of nine Ronin validators to agree on all transactions, rather than just a bare majority of five.
The hunt
The vast majority of the Ronin attacker’s ill-gotten gains are currently sitting in a fresh ethereum wallet. Just over 6,000 ETH has been transferred to other addresses, though, which has some hoping that investigators will be able to follow the money to pin down the culprit.
“[The attacker] sent some tokens to exchanges which means there’s a chance he can be identified and brought to justice,” Axie Infinity co-founder Jeff Zirlin said during a presentation Tuesday at the NFTLA conference.
CURATED FROM:
Orland, Kyle. “How Did a Hacker Steal over $600 Million from a Crypto Gaming Blockchain?” – Ars Technica, Ars Technica, 30 Mar. 2022, https://arstechnica.com/gaming/2022/03/how-did-a-hacker-steal-over-600-million-from-a-crypto-gaming-blockchain/?amp=1.
