Rayshum Khan, a paralegal in the Litigation Department, outlines the latest heist on Axie Infinity in what is believed to be the biggest cryptocurrency hack in the history of De-Fi.
Axie Infinity is a NFT-based online video game known for its in-game economy which uses Ethereum-based cryptocurrencies.
Inspired by Nintendo’s beloved Pokémon series, players purchase NFTs of cute monsters and then pit them against each other in battles. It’s part of the emerging pay-to-play movement, meaning that players can earn SLP tokens during the game play and then trade them for money at an exchange.
On March 23 this year Axie Infinity was affected by the biggest cryptocurrency hack in the history of decentralised finance (De-Fi), whereby over $600 million worth of Ether and the USDC, a cryptocurrency attached to the US dollar, was stolen from Ronin Network – the blockchain underlying the game.
The Ronin Network serves as a bridge between Axie Infinity and the Ethereum blockchain and it is used to conduct transactions and transfer cryptocurrency in and out of the game. Users would deposit Ethereum or USDC to Ronin, and then purchase NFT’s or in-game currency, or alternatively, they could sell their in-game assets and withdraw the money.
Sky Mavis, the developers of the game and the Ronin Network sidechain, have commented that it is now working with law enforcement to recover 173,600 Ethereum worth around $600 million and 25.5 million in USDC.
‘The attacker could effectively withdraw whatever funds they liked’
The cryptocurrency was drained in two transactions, in which the attacker hacked the private keys in order to forge fake withdrawals.
It is still unclear how the private keys were obtained but ultimately, in addition to compromising four of Sky Mavis’ own nodes, the attacker exploited them to find a ‘backdoor’ leading to one validator node managed by the community owned Axie Decentralised Autonomous Organisation (DAO) – this was not supposed to be possible.
After compromising five of the nine validator nodes, the attacker could effectively override any transaction security and withdraw whatever funds they liked.
Validator nodes are a feature of proof-of-stake blockchains like Ronin, which are less energy intensive than proof-of-work systems like Bitcoin and Ethereum. Validator nodes act as operators which each store a copy of the blockchain and must perform extremely important functions to keep the system secure – such as reviewing new transactions to confirm that their inputs and outputs match, that authorization signatures are valid, and rejecting any transactions that don’t conform.
They are an essential part of the proof-of-stake consensus mechanism and are essentially the moderators of the staking system.
‘This one actually took six days to notice!’
Using a smaller number of nodes is faster and more efficient – but as this hack illustrates, it can create security risks if a majority of the nodes are compromised. It’s a potential vulnerability for blockchains that are hyped as both cheaper and more environmentally friendly than Ethereum.
To have the most decentralised system possible, it is better to have a good number of different validator nodes which can be elected. This makes for the greatest variety of staking options for the community, and also protects the system by preventing the chain from being controlled by one individual.
Many of De-Fi’s latest exploits have happened on bridges. One possible explanation for this is that often the computer nodes on bridges aren’t audited, making it easy for an attack to slip under the radar. This one actually took six days to notice!
The RON token associated with the Ronin Network sank 23% within 15 minutes of the news breaking. Although Axie’s token dropped momentarily, it closed down just over 2% after Sky Mavis assured investors that “the Axie NFT tokens players must buy to access Axie Infinity haven’t been compromised”, nor had the SLP and AXS in-game cryptocurrencies used in battling and breeding the Pokémon-like cartoon ‘Axolotls’.
In its most recent announcement, the company said: “As we’ve witnessed, Ronin is not immune to exploitation and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats.”
‘Both incidents demonstrate the evolving nature of much larger exploits’
It added: “We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks.”
After months of rising cryptocurrency cyber-attacks, the Ronin breach currently stands to be the largest hack to date of De-Fi networks, following the $322 million theft from the bridge protocol of the cryptocurrency platform Wormhole last month.
The key to both of these incidents involve hacks against a newer type of crypto platform, in which hackers have targeted the cross-chain bridge which is used to support the exchange and interoperability of different cryptocurrencies from different blockchains.
Notably, both incidents demonstrate the evolving nature of these much larger exploits, and prove that the amount of funds stolen is rising dramatically.
Published 21 April 2022