Gamers playing Sky Mavis’ blockchain asset and battle game Axie Infinity on Tuesday found over $600 million in ETH and USDC missing from their ecosystem. The attack on the group’s underlying network, Ronin Bridge, came after five of its validator nodes had their private keys compromised. Developers have paused transactions on Ronin Bridge until they can ascertain that no further funds can be stolen.
The Ronin bridge has been exploited for 173,600 Ethereum and 25.5M USDC.
The Ronin bridge and Katana Dex have been halted.
— Ronin (@Ronin_Network) March 29, 2022
The attack highlights some of the insecurity problems surrounding “sidechains”; networks that bundle transactions outside a primary blockchain and confirm them on-chain periodically to achieve a degree of auditable verification. They are used primarily on chains notorious for high fees and congestion, such as BTC (the Lightning Network) and Ethereum.
Games using the BSV blockchain, such as CryptoFights, do not suffer from sidechain vulnerabilities—BSV has the speed and capacity to handle all game transactions on the main chain. That includes both gameplay data and player assets, as well as any other application running on BSV.
Axie Infinity is a battle game where users play to earn tradable tokens, such as “Smooth Love Potion” (SLP). Like other games of its type, Axie is particularly popular in developing countries, where a player’s monthly income can exceed the national average. The United States comes in third in Axie Infinity’s country rankings, behind the Philippines and Venezuela, and just ahead of Indonesia, Thailand, and Malaysia.
In response to news of the hack, some complained Ronin Network developers should have been more aware of the vulnerabilities. Axie Infinity itself had previously faced complaints from SLP token holders annoyed that developers hadn’t put more effort into pumping the asset’s price. The latter is a more common and familiar occurrence in the blockchain world.
NFT games and DEXs
According to Ronin Network’s Twitter bio, it “unlocks hyper-growth for NFT games.” In January, it claimed 250,000 unique addresses, 15% of all NFT transactions in 2021, and US$5 billion in “deposited value.” The network includes Katana, Ronin’s own DEX (decentralized exchange) and one of the most active DEXs in the world.
Ronin chain functions as an Ethereum sidechain. It has nine “validator nodes” with five signatures required to complete a deposit or withdrawal. The attacker somehow managed to gain access to five keys and drain the funds with just two transactions. The five keys were from four of Sky Mavis’ official Ronin validators, plus one belonging to the Axie DAO, a third-party node set up to help other validators deal with the transaction load.
A blog post on Ronin’s Substack pages explained how it happened:
“This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.”
Tracking the Ronin Bridge hacker
Ronin developers said they’d found the hacker’s wallet address, which at press time appeared to still hold all the proceeds from the theft. Blockchain forensics firm Chainalysis is on the case, and the team is talking to security teams at exchanges and “working directly with various government agencies” to track down those responsible.
Major trading exchanges, including Huobi and Binance, signaled they would support Axie Infinity by keeping an eye out for any suspicious asset trading.
Huobi will fully support @AxieInfinity as it deals with the aftermath of the attack and theft on its Ronin chain. Any stolen crypto assets that have been discovered to have traversed our exchange and related networks will be dealt with expediently.
— Huobi (@HuobiGlobal) March 29, 2022
Our team is in touch with AxieInfinity team providing assistance in tracking this issue. https://t.co/pNU4wwrCAq
— CZ 🔶 Binance (@cz_binance) March 29, 2022
Whenever transactions happen off-chain, on a separate network, there are extra opportunities for attackers to find vulnerabilities. The networks may be much smaller with fewer processors or poorly constructed. Adding more and more complexity to any system allows for exploitation and misuse simply because fewer people can understand or follow everything that’s going on.
It is, for this reason, BSV functions in exactly the same way Bitcoin has for the past decade, albeit with vastly increased capacity for scaling. While there have been many Bitcoin “hacks” over that time, none targeted the network itself—they were all due to poor security at third-party companies who managed Bitcoin addresses. With unbounded scaling, BSV works exactly as Satoshi Nakamoto intended it to, without the need for on-the-fly protocol changes, bolt-on layer solutions, and other additions.
Watch: CoinGeek New York discussion, eSports & Blockchain: The Next Level of Professional Gaming
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.