Enlarge / Artist’s rendering of Sky Mavis tracking down the hackers behind the $600M breach. Axie Infinity developer Sky Mavis announced today a massive breach of its Ronin cryptocurrency sidechain. An attacker used “hacked private keys” to breach Ronin’s validator network, says Sky Mavis, and transferred 173,600 ETH (worth about $594 million at current rates) and $25.5 million in USDC- Stablecoin as part of one of the biggest breaches in cryptocurrency history.
To understand the nature of this breach, let us take you on a crash course in the brief history of Axie Infinity and the complex web of crypto standards and technologies that helped make the exploit possible.
So you can make money by playing a game?
Axie Infinity has been cited as one of the early success stories in so-called blockchain gaming. Such games use decentralized logs to track ownership of certain in-game items and generally give players some control over the resale of those items.
To play Axie Infinity, players must purchase (or borrow from owners) at least three in-game NFTs of playable Axies on the open market. Playing with these Axies then earns players some Smooth Love Potions (SLP), which can charge Axies or sell them as commodities to other players, creating a “Play to Earn” loop.
Last year there was enough hype and money sloshing through this system that some players in the Philippines were able to earn a decent local wage simply by playing the game as their full-time job. But that early success helped attract more players hoping to jump on the play-to-earn bandwagon, which in turn flooded the market with SLPs.
Enlarge / Could this be your new job?
With few new buyers coming in to buy all of those SLPs, the value of the potions (in dollars) has plummeted about 80 percent since early November and a whopping 95 percent since its peak last May, according to CoinGecko. As the SLP value has increased, so has the number of daily active Axie Infinity players and the number of new players purchasing new Axies.
advertisement
(To learn more about how the axie economy works and how it falls apart without new players looking to buy SLPs, read this lengthy report from consulting firm Naavik.)
The weak link in the (side) chain
While Axie Infinity originally ran directly on the Ethereum blockchain, the high transaction costs and slow transaction speeds on this network quickly became unsustainable as the game grew. To circumvent these fees, in 2020 Sky Mavis began using a sidechain – a parallel private blockchain running on Ethereum that could circumvent the need to pay Ethereum “gas” for every single transaction.
Sky Mavis initially partnered with Loom Networks for this sidechain feature. Last May, however, the company broke up this partnership and introduced its own sidechain called Ronin.
Enlarge / An image of Sky Mavis announcing the launch of the Ronin sidechain.
Unlike the distributed proof-of-work Ethereum blockchain, the Ronin sidechain operates on a much more centralized proof-of-authority system. Rather than consulting the entire distributed blockchain network to confirm transactions, this proof-of-authority system executes its transactions through a small group of trusted, hand-picked “validator” nodes. Each node stakes part of its reputation on validating every transaction, theoretically penalizing individual actors who try to trick the system.
Centralized exchanges like Binance and decentralized exchanges like Katana allow users to “bridge” their in-game assets back and forth between Ronin and the main Ethereum blockchain. However, since these transfers can be occasional and of greater volume, the transaction costs are much lower.
Ronin’s proof-of-authority system, centralized in just nine validator nodes, is key to its ability to provide higher transaction volume at a much lower cost than the sprawling Ethereum network. It was also Ronin’s weak point in this case.
As Sky Mavis explains, the unknown attacker was able to penetrate Sky Mavis’ systems and gain full access to four validation nodes that the company controls. The attacker was then able to use a leftover backdoor in those nodes to gain control of another validator controlled by the decentralized Axie DAO.
With this fifth validation node, the attacker could then provide a majority of the validation signatures for any desired transaction, leading to fraudulent transfers.