Inside the $625 Million Axie Hack and What It Means for Crypto Gaming

- Advertisement -


Thieves targeting a popular blockchain-based videogame made off with more than $600 million.

- Advertisement -

Dreamstime

- Advertisement -

Videogames based on blockchain networks appear to be a prime target for thieves, raising more concerns about the security of cryptocurrencies held on these decentralized gaming networks.

Thieves targeting Axie Infinity, a popular blockchain-based videogame, made off with 173,600 ether tokens and $25.5 million in USDC, a type of stablecoin that is pegged to the dollar. The theft occurred on March 23, according to developers of Axie, but was announced publicly on March 29. At recent prices for ether, the heist was worth about $615 million, down slightly from the $625 million value when the theft was disclosed.

- Advertisement -

Axie is a “play-to-earn” game in which users create and collect virtual pets. The creatures are nonfungible tokens, or NFTs, that are traded in the game, using various cryptos as currency. The hack occurred on a blockchain “bridge” network called Ronin, which is used for transferring cryptos between the Ethereum network and Axie. Sky Mavis, the Vietnam-based game studio behind Axie, manages Ronin.

See Also

The Ronin hack is disconcerting, partly because of the size of the theft, but also because of how it transpired. Ronin is managed by just nine computer “nodes” that validate transactions in the network. Typically, it takes a majority of nodes to form a consensus on the validity of a transaction, enabling it to be recorded on the blockchain. In this case, the hackers gaining control of just five nodes did the trick.

Axie said it “recruited an all star cast of partners” to secure the Ronin network, according to its foundational white paper, But the attackers still managed to hack the nodes and forge fake withdrawals, Axie said in a post on the attack.

In response, Axie said it has increased the threshold for validating transactions to eight nodes from five, according to the Ronin’s Newsletter site. “While the investigations are ongoing, at this point we are certain that this was an external breach,” the site said on Wednesday. “All evidence points to this attack being socially engineered, rather than a technical flaw.”

Axie also said it is working with the blockchain data firms Chainalysis and CrowdStrike to monitor the stolen funds, handle forensics, and try and recover the stolen funds for the game’s players and its own account, saying it’s “committed to ensuring that all of the drained funds are recovered or reimbursed.”

About half the stolen ether, or 56,000 tokens, came from Axie’s treasury, Sky Mavis’s chief operating officer, Aleksander Leonard Larsen, told Bloomberg.

Sky Mavis could not be reached for comment.

The hack may be the largest so far of a decentralized finance, or “DeFi” network, according to Rekt, a site that runs a leaderboard of such hacks. More than $611 million worth of crypto was stolen from the Poly blockchain network last August. More recently, in February, Solana’s bridge network, Wormhole, was exploited for $324 million, though the developers of Wormhole said that all stolen funds were returned.

Overall, the attacks raise concerns that these so-called “proof of stake” (POS) networks aren’t really decentralized. Blockchains based on POS are typically run by a handful of nodes, which stake collateral for the rights to validate transactions and receive fees in return.

But many POS networks are relatively small with only a handful of validators. Hackers may be able to make off with crypto by briefly controlling a majority of the validator nodes.

“The difficulty with these kinds of bridge networks or apps is achieving authentic decentralization,” said Strahinja Savic, head of data and analytics at FRNT Financial, a crypto derivatives firm in Toronto. Large blockchain networks like Ethereum and Bitcoin are managed by thousands of nodes, making such hacks nearly impossible to pull off, but smaller blockchains appear far more vulnerable.

“Hacking 50% of the Ethereum nodes is a tall order,” said Savic. “Its size protects it from an incident like this.”

Ethereum is moving to a proof-of-stake consensus mechanism, aiming for a July switch-over. Bitcoin, by contrast, is maintaining its original “proof of work” mechanism, which requires computers to expend computing power—and huge sums of electricity—to prove that transactions are valid.

The Ronin exploit also highlights the fact that most blockchain technology is still experimental and is being tested on users in real-time, putting them at “constant risk of significant losses,” FRNT said in an email to clients.

And it’s a major blow for blockchain-based games in which people create, buy, and trade NFTs. Not to mention that this isn’t just a game for many players, especially in some developing economies where this kind of traditional trading can generate far more income than jobs. Playing Axie has become a job for people in Asia, notes Molly White, a software engineer and crypto blogger,

“We’re seeing more incidents like this, where it’s not just someone losing some extra cash, but people losing the money that they need to live,” she said in an email to Barron’s.

Sky Mavis said that it didn’t discover the hack until March 29, when a user was unable to withdraw 5,000 ether tokens from the Ronin bridge.

Because the hack had happened days earlier, users were thus transacting on a network that had been breached, trading tokens that were at least partially unbacked.

Sky Mavis, of course, has strong incentives to restore the funds to users and its own corporate treasury. Recovering the stolen funds and reimbursing players would go a long way to restore Axie’s credibility and value of the capital pumped into the company.

Sky Mavis raised $152 million in venture capital last October, in a funding round led by Andreessen Horowitz, one of the largest venture-capital firms in Silicon Valley, according to The Information site. Other investors include Mark Cuban and the FTX Exchange, according to Crunchbase. The funding round valued Axie at a reported $3 billion.

“Axie embodies a new generation of games, where game creators are not operating from a place of fear but rather as an open, free market economy that allows players to move freely in and out of,” said Arianna Simpson, a partner at Andreessen, in a blog post last October. “We can’t wait to see where this pioneering team takes their community next.”

For blockchain-based videogamers, and investors in the business, Axie’s problems may be a lesson that the risks of losses go far beyond the virtual worlds.

Write to Daren Fonda at [email protected]

,

Credit: www.marketwatch.com /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox