In one of the biggest breaches in DeFi history, hackers stole more than $600 million of tokens — Ethereum and USDC — from the Ronin blockchain associated with the popular game, Axie Infinity. Both entities are part of the burgeoning Web3 ecosystem, which is defined by elements of decentralization and digital currency. And the fact that they could be broken into highlights the need for focus on security in the glitzy world of Web3. We’ll take a look at details of the hack, and how the company’s mitigating it. But first, a brief introduction about the game and the Ronin blockchain.
What the heck is Axie Infinity?
Axie Infinity is a play-to-earn game where players have to mint and collect NFT-based characters that aren’t unlike animated monsters, à la Pokémon. They can earn in-game tokens through breeding, battling, and building their army with these monsters called Axies. Sky Mavis, the Vietnamese company that runs the game, raised $152 million — bringing its valuation to $3 billion — last year from investors like a16z, FTX cryptocurrency exchange, and Samsung Next. The game is extremely popular in the Philippines, where players have been reported to make a living out of it, while wealthier followers of the game invest in said players. In February, it crossed the mark of $4 billion in lifetime NFT sales.
And what is Ronin?
Ronin is a side-chain (a blockchain compatible with Ethereum) that allows for faster and cheaper transactions than the primary blockchain for Axie Infinity players. The game’s transactions are based on Ethereum. But it’s very costly to do multiple transactions per day because of the high fees involved with ETH. To solve that problem, Axie Infinity developers released Ronin in February 2021 — a chain based on Ethereum that allowed 100 free transactions per day. This led to tremendous growth, and the game’s community grew to 2.9 million users by the end of 2021 end.
What about that breach?
According to Ronin’s official Substack page, attackers were able to siphon off 173,600 ether and 25.5 million USDC — worth more than $625 million at the current market value — across two transactions. In order to complete a transaction on the Ronin blockchain, you need approval from validator nodes. The Ronin chain has nine validators in total, and you need a signature from at least five of them for a transaction to go through. Attackers used an exploit to gain control over four Sky Mavis validators and one Axie DAO validator node, and perform two transactions. The attack took place on March 23, but the network got to know about it only six days later on Tuesday, when a user tried and failed to withdraw 5,000 ETH from the network.
Impact and next steps
Currently, the Ronin bridge is frozen for transactions, and it’ll open at “a later date” once the company has ensured that no more funds can be drained. The firm said, “All of the AXS, RON, and SLP [in-game tokens] on Ronin are safe right now.” Sky Mavis is also working with forensic cryptographers, authorities, and security agencies like Chainalysis to recover funds. It’s trying to make sure that no user money is lost in the process. To bolster its security to prevent hacks like this, the company has increased the mandatory threshold for transactions from five validator nodes to eight validator nodes. “We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks,” it said. This hack outlines the requirement to increase security for cryptocurrency-based projects. Many of these projects pride themselves on the fact that they are able to become platforms for people to have fun, spend their valuable time online, and earn money. But if that moolah is not kept safe, no one’s going to stick around — and they might lose faith in play-to-earn gaming altogether.