- Given the sheer volume of blockchain protocols, bridges have become a necessary but increasingly vulnerable means by which users can use different cryptocurrencies across different networks.
- While Axie Infinity’s token did take a hit in the immediate aftermath of discovering the hack, it’s since recovered, with Axie Infinity’s creator Sky Mavis, “fully committed” to reimbursing players who were victims of the hack.
Over US$600 million in cryptocurrency was stolen from the Ronin network, a blockchain closely associated with the popular game Axie Infinity.
Although the hack occurred on March 23, it wasn’t until two days ago that Axie Infinity came to be aware of the compromise.
Demonstrating the risks associated with “bridges” – software that allows blockchains to communicate with one another and send assets across different blockchains, the hack of Ronin comes hot on the heels of the US$300 million hack of Wormhole, another “bridge” and which has the backing of Jump Crypto.
Computers that act as nodes operated by Axie Infinity creator Sky Mavis and the Axie DAO that support the bridge were hacked, with some 173,600 Ether and 25.5 million USDC tokens stole in two transactions.
Given the sheer volume of blockchain protocols, bridges have become a necessary but increasingly vulnerable means by which users can use different cryptocurrencies across different networks.
For instance, it’s not possible to use Bitcoin on the Ethereum network, without first using a bridge that converts the Bitcoin into so-called “wrapped Bitcoin” or wBTC that conforms to the Ethereum network standard.
Bridges play an important role in decentralized finance or DeFi and are a tool that allow users to port cryptocurrency that operates on one blockchain to another, often using an “escrow” type smart contract.
The problem of course is that most bridges use open source code of vaporware (copies of open source software) that may be riddle with bugs or unknown vulnerabilities and many of which are unaudited, allowing hackers to exploit vulnerabilities.
Bridges are also often run by anonymous developer communities or even individuals and there isn’t exactly a customer service hotline to dial up should issues arise.
And even if there’s a vulnerability in the smart contract of the bridge, once hammered into the blockchain, it’s there permanently and can still accept deposits to the smart contract address.
While Axie Infinity’s token did take a hit in the immediate aftermath of discovering the hack, it’s since recovered, with Axie Infinity’s creator Sky Mavis, “fully committed” to reimbursing players who were victims of the hack.
But even though the hackers made off with substantial amounts of cryptocurrency, they made some inexplicable choices in the getaway vehicle, transferring the stolen amounts to accounts at just two major centralized cryptocurrency exchanges, according to blockchain forensics firm Elliptic.
Sending the stolen crypto to exchanges which have been beefing up KYC and AML requirements makes absolutely no sense and is akin to robbing a bank, and then making your getaway by taking a bus at the bus stop just outside the bank.
Typically, hackers would send their stolen crypto to any number of “mixers” which would attempt to obfuscate the flow of the ill-gotten proceeds and rarely, if ever, would the first destination of choice be a major centralized cryptocurrency exchange.
Huobi, FTX, Binance and OKEx have already issued statements stating that they would work with Axie Infinity in the aftermath of the attack, making it virtually impossible for the hackers to ever enjoy the proceeds of their robbery.
Last year, the Poly Network hacker gave back the over US$600 million in cryptocurrency that they had stolen, which many suspect had more to do with being unable to spend the cryptocurrency rather than because of an attack of conscience.
The Axie Infinity hacker could well have to suffer the same fate.
Unlike in 2018, a blossoming cottage industry of expert blockchain analytics firms have sprung up to serve this specific purpose – monitor hacks and keep tabs on the flow of funds, making efforts to steal cryptocurrency a far less profitable proposition than it used to be.
With dozens of expert firms watching the every move of these cryptocurrency wallets, it’s akin to robbing a convenience store with the cops watching your every move thereafter, waiting for you to spend that money to pounce on you.