A bridge too far? Largest ever crypto hack highlights the impact on users and the lack of protection at the cutting edge

On 29 March, what may be the largest crypto hack to date was detected, with an estimated $625m of cryptocurrency stolen from the “Ronin Bridge”, effectively stealing from the millions of users of the popular NFT game Axie Infinity.

Hacks in the crypto-asset space are nothing unusual, and should be taken in context of the increasing size of the space (estimated ~$2tn per a recent estimate by Forbes). However, aside from the fact that it is arguably the largest hack to date, there are a few details around this particular hack that are worth noting.

Background – NFT games

Before we unpack this, it is worth providing a few more details about the target of this attack.

We’ve discussed NFTs (or “Non-Fungible Tokens”) in some of our recent blog posts. As NFTs are effectively unique digital collectibles, they lend themselves well to use in online games as digital representations of things that a player might use and trade with others, such as characters or equipment. Crypto-Kitties is one of the earliest examples of these, built on the Ethereum blockchain, and was at one point responsible for significantly slowing down the network. Many games also operate on a “play to earn” model, allowing players to earn NFTs through playing the game itself.

Axie Infinity, developed by Vietnamese game studio Sky Mavis, is an example of one of these games, and is extremely popular, with in excess of two million users globally. In the game, players participate in battles using creatures called “Axies”, and are rewarded with items that can either be used in the game, or exchanged for cryptocurrency or cash. This model has led it to become extremely popular in the Philippines, where people were able to use the rewards from playing the game as a second, or even a primary, form of income.

There is doubtless some discussion to be had around the market forces that drive this model, though it’s worth noting that the notion of playing a game to earn money has been around for quite some time. Regardless, there are now a sizeable number of people who effectively make a living from playing this game. This does, of course, lead to real-world consequences when these hacks take place.

Background – the Ronin Bridge

A further technical detail to note is around the infrastructure itself, how that came to be, and why that became significant.

One of the challenges associated with any application that uses the Ethereum network is the cost of “gas”, which is the amount of Ethereum that a user must pay in order to have a transaction processed by the system. With a limited amount of processing power available, users need to effectively compete to have their transactions take place (which can have consequences, as we’ve discussed before). For an online game build on the Ethereum network, this quickly becomes unsustainable.

To get around this, in 2020 Sky Mavis created Ronin. Ronin is a “sidechain”, a chain that operates parallel to Ethereum, but is able to operate much more quickly and cheaply. Blockchains by default can’t speak to each other directly (Bitcoin operates completely separately to Ethereum), so these kinds of cross-chain transactions rely on smart contracts known as “bridges” to allow cross-chain transactions. This particular smart contract was known as the “Ronin Bridge”.

To “move” Ethereum to Ronin, the Ronin Bridge will take a quantity of Ethereum (ETH), lock it up (effectively as collateral), and then issue the equivalent value on the Ronin network as “wrapped Ethereum” (WETH). In this way, WETH can be used quickly and cheaply on the much-faster Ronin network, but it is still backed 1:1 by the ETH held by the Ronin Bridge. WETH in this instance can be thought of as similar to a mandatory form of alternative currency used for purchases in theme parks, for example.

As the Ronin network has to be much faster, it doesn’t use the proof-of-work approach used by blockchains such as Ethereum or Bitcoin. Instead, it relies on nine “validator nodes”, operated by trusted parties, to validate transactions. If at least five nodes agree that a transaction is authorized, it is allowed to be added to the chain. This allows the network to be much faster, cheaper, and more environmentally friendly than Ethereum.

The hack itself

In a more familiar proof-of-work based blockchain, in order to take control of a network an attacker would need to have control of a majority of the computing power within that network. This is known as a 51% attack. For larger blockchains, such as Bitcoin, the sheer number of miners globally mean that this is particularly hard to do.

However, the Ronin network relies on nine validator nodes, with a majority of nodes having to agree before a transaction is allowed to take place. Here, a hacker would need to gain control of five nodes in order to control a majority. And, on 23 March 2022, that’s exactly what this hacker did.

In the blog post announcing the incident, the Ronin network noted that the hacker was able to gain control of four validators run by Sky Mavis directly, and a third-party validator run by a DAO (decentralized autonomous organization), the Axie DAO, set up to eventually run the game. With control of five nodes, the hacker was effectively able to write their own checks, and drained 173,600 ETH and 25.5m USDC (a digital stablecoin pegged to the US dollar) from the Ronin Bridge to a single address.

Aftermath

The hack remained undetected for six days, only becoming apparent on 29 March 2022 when a user reported being unable to withdraw 5k ETH from the Ronin Bridge. To go back to our theme park analogy, it’s as if someone tried to change back $500 of theme park currency, but when the employee went to the safe, someone had cleaned it out, leaving the user (and all other users) stuck with their otherwise useless tokens.

When they became aware, the Ronin network announced the hack via their blog post, and suspended all use of the Ronin Bridge. They also engaged law enforcement and crypto-asset specialists Chainalysis to help trace the funds. So far, the hackers have been connected by the US treasury to the North Korean hacker group Lazarus Group, with the related ETH walled added to the sanctions list. They have also been transferring funds out of the wallet to other addresses, some of which are then transferred to Tornado cash, a popular “mixer” service designed to obfuscate the source of funds by mixing them with other funds.

As we’ve seen in the past, it’s becoming increasingly difficult for hackers to make good with their ill-gotten gains (as discussed in our blog post about Poly network hack). Exchanges can move quickly to blacklist addresses associated with known hacks, and law enforcement are becoming increasingly successful at recovering stolen funds. A large proportion of the ransom paid by Colonial Pipeline in May 2021 was recovered by the FBI, and in February this year the US Department of Justice recovered $3.6bn in Bitcoin from the Bitfinex hack. The fact that the Bitfinex hack took place in 2016 shows that, even half a decade later, hackers can’t assume that they’ve gotten away with it.

However, in the meantime, Axie Infinity players are wondering if or when they’ll be able to access their funds, in many cases representing their income from their jobs. Following the hack, some users were posting messages on the Ethereum blockchain, begging the hackers to return some of their money.

The Ronin network at the outset announced that they were seeking to ensure that all drained funds were recovered or reimbursed, and, as of 6 April, Sky Mavis had secured $150m in funding.

In conclusion...

Crypto firms, particularly those that experience rapid growth (often following the “move fast and break things” ethos) can find themselves to quickly be responsible for large values of the assets of their users, and simultaneously become tempting targets for hackers. As demonstrated by recent events, it’s important for these firms to have appropriate controls in place to protect themselves, and by extension their users, from hacks. This is particularly important in instances such as this, when those who are affected might include people for whom such a loss can be life-changing.

New technologies always lead to new use-cases, and NFT games are just one example of how crypto-assets can be utilized to create a new industry and push new boundaries. Incidents like these highlight the growing pains that these new industries can have, and why there’s still an important role to be played by good governance, supported by appropriate regulation and consumer protections.