The $625M Ronin blockchain hack shows the need for better security in the Web3 world
Axie Infinity game’s blockchain was the target of one of the biggest DeFi hacks
What the heck is Axie Infinity?
Axie Infinityis a play-to-earn game where players have to mint and collect NFT-based characters that aren’t unlike animated monsters, à la Pokémon. They can earn in-game tokens through breeding, battling, and building their army with these monsters called Axies.
Sky Mavis, the Vietnamese company that runs the game, raised$152 million— bringing its valuation to $3 billion — last year from investors like a16z, FTX cryptocurrency exchange, and Samsung Next.
The game is extremely popular in the Philippines, whereplayers have been reported to make a living out of it, while wealthier followers of the game invest in said players.
In February,it crossed the mark of $4 billionin lifetime NFT sales.
And what is Ronin?
Ronin is a side-chain (a blockchain compatible with Ethereum) that allows for faster and cheaper transactions than the primary blockchain for Axie Infinity players.
The game’s transactions are based on Ethereum. But it’s very costly to do multiple transactions per day because ofthe high feesinvolved with ETH.
To solve that problem, Axie Infinity developers released Ronin in February 2021 — a chain based on Ethereum that allowed 100 free transactions per day.
This led to tremendous growth, andthe game’s community grew to 2.9 million usersby the end of 2021 end.
What about that breach?
According to Ronin’sofficial Substack page, attackers were able to siphon off 173,600 ether and 25.5 million USDC — worth more than $625 million at the current market value — across two transactions.
In order to complete a transaction on the Ronin blockchain, you need approval from validator nodes. The Ronin chain has nine validators in total, and you need a signature from at least five of them for a transaction to go through.
Attackers used an exploit to gain control over four Sky Mavis validators and one Axie DAO validator node, and perform two transactions.
The attack took place on March 23, but the network got to know about it only six days later on Tuesday, when a user tried and failed to withdraw 5,000 ETH from the network.
Impact and next steps
Currently, the Ronin bridge is frozen for transactions, and it’ll open at “a later date” once the company has ensured that no more funds can be drained. The firm said, “All of the AXS, RON, and SLP [in-game tokens] on Ronin are safe right now.”
Sky Mavis is also working with forensic cryptographers, authorities, and security agencies like Chainalysis to recover funds. It’s trying to make sure that no user money is lost in the process.
To bolster its security to prevent hacks like this, the company has increased the mandatory threshold for transactions from five validator nodes to eight validator nodes.
“We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks,” it said.
This hack outlines the requirement to increase security for cryptocurrency-based projects.
Many of these projects pride themselves on the fact that they are able to become platforms for people to have fun, spend their valuable time online, and earn money. But if that moolah is not kept safe, no one’s going to stick around — and they might lose faith in play-to-earn gaming altogether.
Story byIvan Mehta
Ivan covers Big Tech, India, policy, AI, security, platforms, and apps for TNW. That’s one heck of a mixed bag. He likes to say “Bleh.“Ivan covers Big Tech, India, policy, AI, security, platforms, and apps for TNW. That’s one heck of a mixed bag. He likes to say “Bleh.”
Get the TNW newsletter
Get the most important tech news in your inbox each week.
