Ronin was a juicy target for a hacker. The blockchain project supports the hugely popular Axie Infinity video game, which with an estimated 8 million players has been compared to collectible action games like Pokémon Go. Axie Infinity is hot and contains significant amounts of money. Players buy creatures called Axies in the form of NFTs, unique digital elements known as non-exchangeable tokens. Creatures can reproduce, fight, and even trade cold, hard cash. The game has grown in popularity as players see the potential for real money. In 2020, a 22-year-old player from the Philippines reportedly bought two apartments in Manila with his winnings from the game. Last year, another player said he earned more through Axie Infinity and other online games than from his full-time job at Goldman Sachs. But the foundations of the game face significant security challenges. To play, players must move their money from Ethereum to Ronin on a blockchain “bridge” system. Ronin is a “side chain” of Ethereum – a scaling solution that allows transactions to be made faster than in Ethereum, which is cluttered with the amount of activity it hosts. The hosting of the game in this sidechain ensures that it can be developed without losing its functionality. Bridges can hold a lot of money at once, so by targeting the Ronin Bridge that transported players’s assets between blockchains, hackers took control of the assets and took off with the money. Details of the game called “Axies” are shown in this dateless brochure image from the blockchain-based Axie Infinity Photograph game: Sky Mavis / Reuters The US government said this week that it believed North Korean hackers were behind the robbery. But it’s just the latest in a string of high-profile encryption thefts. In 2018, more than $ 530 million was stolen from the Coincheck encryption exchange. In February, hackers withdrew $ 320 million from the decentralized Wormhole financial platform (although the loot was eventually returned). That same month, in what may be the most publicized online robbery of the year, prosecutors charged the curious couple Ilya “Dutch” Lichtenstein and his wife, Heather Morgan, – also known for their incredible TikTok rap as Razzlekhan – with conspiracy launders billions of dollars worth of bitcoin stolen from the Bitfinex encryption exchange in 2016. It’s a trend. In 2021, $ 3.2 billion in cryptocurrencies were stolen by individuals and services, according to a report on cryptocurrency by Chainalysis, a company that provides blockchain data and analysis to banks, governments and other businesses. (Ronin is also working with Chainalysis to identify the funds stolen from the hack, according to Reuters.) That number is almost six times the amount stolen in 2020. So far this year, more than $ 1 billion has already been stolen. according to experts at Chainalysis and other security companies.

Vulnerabilities in smart contracts

High-profile hacks and the significant sums of money involved have raised questions about how vulnerable blockchain – which has long been considered a safe haven for storing assets – is to such breaches. Some experts say that the rise of cryptocurrency reports is coming as cryptocurrencies are being used more widely and understandably than ever before. “You basically have a lot of money at the table and at a very public table,” said Nicholas Christin, an associate professor at Carnegie Mellon University who studies cybercrime and computer and network security. With large sums of money circulating publicly on these transparent systems, it can be tempting for a hacker to attack. To understand how these robberies are possible, it is important to distinguish between blockchain and other programs that run on it, experts say. The blockchain itself is a decentralized public domain that allows peer-to-peer transactions. It is the foundation layer on which bitcoin, Ethereum or Solana are built. The second level – the one that is often used – is smart contracts running over blockchains. Smart contracts are code agreements that are executed automatically when the terms of the contract are met. The common ratio is with a digital vending machine – choose a product, enter the right amount of money and your product will be distributed automatically. These contracts are irreversible. Hackers make their way to money through these second-tier systems either by exploiting bugs in the code or by holding private keys that will allow them to enter the systems, Christin explained. Some hackers even subvert smart contracts to redirect funds into their hands. In the Axie Infinity hack, which targeted the Ronin Bridge, the hacker obtained several private keys to control the bridge and drain the money. Since so many users had their assets on the bridge, the payout was huge. “The underlying blockchain protocol is secure,” said Ronghui Gu, founder and CEO of blockchain security company Certik. “But the programs – the smart contracts – that run on them are still like other regular programs, which can have software bugs and vulnerabilities.” It is common for hackers to try to exploit the code of one of their targets. And it helps that much of the code for blockchain programs is open source, making it easily accessible to hackers who want to search the code and find potential bugs. “In this world, people say ‘code we trust,’ but the code itself is not really that reliable,” Gu said. When he started the blockchain security company in 2018, Gu explained, only a few companies used third-party security services like his own to check and evaluate their code – a critical security backstop – but saw the number grow. Encryption exchanges are also important targets for hacks. Stock exchanges are like banks, they are central entities that hold huge sums of money from their users and transactions are irreversible. Like bridges, it is an intermediary program that tends to be targeted. “These big stock markets have a huge target on their backs,” Christin said.

The victims left with a heavy burden of security

Once cryptographic assets are stolen, it can be a challenge for thieves to cash in, especially if the robbery is in the order of nine numbers. This means that funds often remain at a dead end for years, or even indefinitely. During this period, the value of the stolen funds may fluctuate due to the volatile nature of the encryption market. The Chainalysis report on the encryption crime estimates that criminals currently possess cryptocurrencies worth at least $ 10 billion, the vast majority of which are obtained through theft. Thanks to the transparency in the blockchain, it is possible to identify these transactions and participations, but the identity of the perpetrator is difficult to determine until the money is redeemed. One can look at the Bitfinex scandal as a case study in a money laundering attempt. “The funds did not move for a very long time. “And then, when they tried to start the flushing process, it was an opportunity for law enforcement to get involved again, because people are following these hacks,” said Kim Grauer, director of research at Chainalysis. For systems victims, there are few ways to recover assets. “If a bank’s security fails, it’s not so bad for the bank,” said Ethan Heilman, a cybersecurity expert and co-founder of cloud service BastionZero. “But if you are a cryptocurrency exchange and someone empties all your cryptocurrency, that is very bad for you.” Banks have introduced measures to protect their customers who are missing from the blockchain. If someone’s credit card is stolen, insurance policies ensure that they will usually get that money back. In blockchain, however, transactions are irreversible – there is no undo button. This means that there is a huge security burden for individual users to keep their assets safe. “End users may not necessarily be aware of the security risks they face,” Christin said. “Honestly, even the locals do not have time to necessarily go and check the source code of smart contracts.” If someone trusts their keys to the wrong second tier broker, they are more likely to be robbed. Collectively, most are not accustomed to this responsibility. Encryption companies are starting to take security more seriously, Heilman said, but a world without hacks is unrealistic, he added. “You never become safe, you just become safer,” he said. “Given the ease of revenue generated by a vulnerability in one of these systems, I think it is likely that we will continue to see things being compromised and the question will not be ‘is there a new hack this month?’ It will be: “how frequent are hacks this month?” “There are important things that the industry needs to overcome in order to really grow and scale,” Grauer said, “because you can not have a healthy growing industry if everyone is afraid they will be violated.”