On the 23rd of March, Sky Mavis, the developer of the rave play-to-earn game Axie Infinity made an announcement that would shock the world of decentralized gaming — Its side-chain Ronin Network has been breached; technically, it is quite a lot to process.
In this piece, we are going to go over the hack that saw over half a billion moved into hackers’ wallets, this is one of the largest breaches in the history of cryptocurrency. To understand the nature of the breach, we will go over the nitty-gritty of the hack in a bid to understand what could have been different and how this will further influence the gaming world:
Axie Infinity has been referred to as one of the early successes in the world of blockchain gaming, popularly referred to as play-to-earn. These games use decentralized protocols to track ownership of in-game items to simplify exchange for players and help them with the resale of these assets, most of which are NFTs and tokens. To play Axie Infinity, players have to purchase at least three NFTs of playable in-game Axies on the open market or lease them from owners. Playing with these Axies makes players earn Smooth Love Portions (SLP). This can power up Axies or it can be placed on the in-market space to be purchased by others.
The main reason behin is to see the speed on the gaming interface get faster and to avoid paying gas fees, the payment on every transaction that takes place on the Ethereum blockchain that Axie Infinity moved from the Ethereum public blockchain to a parallel private blockchain running on Ethereum.
In March of 2020, Axie launched its side-chain, Ronin. It runs on the proof-of-authority rather than the popular proof-of-work that Ethereum uses. Proof-of-authority routes transactions through a set of trusted validators who will confirm any transaction that will take place on the sidechain. Each of the validators or most of the validators have to give permission to any transaction. There are also mechanisms in place to punish actors who go rogue in validating orders.
Ronin’s proof-of-authority system, “centralized in just nine validator nodes”, is the key to its ability to provide a higher volume of transactions at a lower cost than the sprawling Ethereum network. It also ended up being Ronin’s undoing, in this case.
What really happened
The Ronin side-chain has nine validator nodes. These nine authorized wallets are usually controlled by institutions; the majority of them need to sign a transaction for it to be confirmed. The issue with Ronin was that 4 of the 9 multisig keys were held by Sky Mavis, which in itself is a centralized entity and the studio behind Axie.
All the hacker had to do (not meaning that it was easy…) was hack the Sky Mavis centralized server and they had 4 of the 9 validator wallets in their care. Now, this is where the twist comes in. With the four validators, they will still need one more validator to sign off on a transaction before it can happen. However, they were in a bit of luck.
Axie DAO Validator, which is one of the five other independent validators, loaned their multisig to Sky Mavis in November. The reason was to help Sky Mavis validate transactions faster as game players increased.
While Axie DAO Validator received control over the multisig later, the details were not taken off the Sky Mavis centralized server. The hackers also got a hold of this. Now, they can validate any transaction they want.
The hackers took out over $625 million in funds. This is a huge amount of money and the hacker already started to launder the stolen ETH through Tornado cash to ensure anonymity.
What could have ben prevented?
This hack, one that moved this much money, could have been prevented. While Ronin is already working with Chainalysis, Binance as well as law enforcement, this hack shouldn’t have happened in the first place. The first way to have prevented the hack would have more decentralisation. Costly but way more secure.
Like Ronin admitted in their statement, “As we’ve witnessed, Ronin is not immune to exploitation and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats. We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks.”
This hack could have been prevented if the details of the last verification node that enabled the attack to be carried out — The Axie DAO validator details have been wiped off the Sky Mavis centralized server; this attack would have ended up as an attempt and not one that would have ended up moving over half a billion.
Binance has also paused, for the moment, the Ronin bridge, which is to ensure that no other attack would take place. The linkage bridge will be opened up again once it is sure that no further funds could be drained.
As hackers get wiser and more cunning, DeFi and Play to Earn platforms must stay ahead of the learning curve in order to stay secure and keep the funds of their patron. In that case the lack of decentralization is the main reason of this hack. A lot of protocols are scarifying decentralization to offer cheaper fees and faster transaction, always in detriment of security.
Play to Earn games and blockchain in general is still an early tech but this hack shows that compromising on security almost always end up in a disaster at the cost of the participants.
Maxime Paul