L.last month, hackers escaped with what then cost more than $ 500 million from Ronin’s cryptocurrency network systems, considered the second-largest cryptocurrency theft in history.
Ronin was a juicy target for a hacker. The blockchain project supports the hugely popular video game Axie Infinity, which with approximately 8 million players has been compared to collectible action games such as Pokémon Go.
Axie Infinity is hot and involves significant sums of money. Players buy creatures called Axies, in the form of NFT, unique digital assets known as irreplaceable tokens. Creatures can reproduce, fight, and even be exchanged for cold, hard money.
The game has swelled in popularity as players see the potential to make real money. In 2020, a 22-year-old player from the Philippines reportedly bought two apartments in Manila with his winnings from the game. Last year, another player said he earned more through Axie Infinity and other online games than from his full-time job at Goldman Sachs.
But the basics of the game face significant security challenges. To play, gamers must transfer their money from Ethereum to Ronin on a blockchain “bridge” system. Ronin is Ethereum’s side chain, a scaling solution that allows transactions to happen faster than Ethereum, which is overloaded with the amount of activity it hosts. Hosting the game in this side chain ensures that it can grow without losing functionality. Bridges can hold a lot of money at once, so by heading to Ronin’s bridge, which transfers players’ assets between blockchains, hackers take control of the assets and squander the money.
The U.S. government said this week that it believed North Korean hackers were behind the robbery. But this is just the latest in a series of brazen thefts of cryptocurrency. In 2018, more than $ 530 million was stolen from the Coincheck cryptocurrency exchange. In February, hackers escaped $ 320 million from the decentralized financial platform Wormhole (although the loot was eventually returned). And in the same month, in perhaps the most publicized cyber theft of the year, prosecutors accused the strange couple Ilya “Netherlands” Liechtenstein and his wife Heather Morgan – also known for their incredible rap on TikTok as Razzlekhan – in a conspiracy to launder bitcoins worth billions of dollars stolen from the crypto exchange Bitfinex in 2016
This is a trend. In 2021, $ 3.2 billion in cryptocurrency was stolen from individuals and services, according to a report on cryptocurrencies by Chainalysis, a company that provides blockchain data and analysis to banks, governments and other businesses. (Ronin is also working with Chainalysis to track the funds stolen from the hack, according to Reuters.) The figure is nearly six times that amount stolen in 2020. So far, more than $ 1 billion has been stolen this year, according to experts at Chainalysis and others. security companies.
Vulnerabilities in smart contracts
High-profile hacks and significant sums of money have raised questions about how vulnerable the blockchain – long considered a safe place to store assets – is to such breaches.
Some experts say the increase in cryptocurrency theft reports is coming because cryptocurrency is more widely used and better understood than ever.
“Basically, you have a lot of money at the table and a lot in public,” said Nicholas Christine, an associate professor at Carnegie Mellon University who studies online crime and computer and network security. With large sums of money moving publicly through these transparent systems, it can be tempting for a hacker to pounce.
To understand how these thefts are possible, it is important to distinguish between blockchain and other programs that work on it, experts say. The blockchain itself is a decentralized public book that allows transactions from equal partners. This is the main layer on which bitcoin, Ethereum or Solana are built.
The second layer – the one that is often used – are smart contracts that work on the blockchain. Smart contracts are code-based agreements that are executed automatically when the terms of the contract are met. The general analogy is with a digital vending machine – choose a product, invest the right amount of money and your item will be automatically distributed. These contracts are irreversible.
Hackers are making their way to the money through these second-tier systems, taking advantage of either code errors or obtaining private keys that will be released into the systems, Christine explained. Some hackers even undermine smart contracts to redirect funds into their own hands.
In the Axie Infinity hack, which was aimed at Ronin’s bridge, the hacker received enough private keys to control the bridge and drain the funds. Because so many consumers had their assets in the bridge, the payout was huge.
“The core blockchain protocol is secure,” said Ronghui Gu, founder and CEO of blockchain security firm Certik. “But programs – smart contracts – working on them are still like other normal programs that can have software bugs and vulnerabilities.
It is common for hackers to try to exploit the code for one of their purposes. And it helps that much of the code for blockchain programs is open source, making it easily accessible to hackers who want to review the code and find potential bugs.
“In this world, people say ‘in the code we trust,’ but the code itself isn’t really that reliable,” Gu said. When he launched his blockchain security company in 2018, Gu explained that only a few companies have used third-party security services like his to audit and evaluate their code – a critical security safeguard – but he sees that the number is gradually increasing.
Crypto exchanges are also a major target for hacks. Exchanges are like banks, they are central entities that hold huge sums of money to their consumers and transactions are irreversible. Like bridges, they are an intermediary program that tends to be targeted. “These big exchanges have a huge purpose behind them,” Christine said.
The victims remained with great burden on security
Once crypto assets are stolen, it can be a challenge for thieves to withdraw money, especially if the robbery is in the nine-digit range. This means that funds often remain unknown for years or even indefinitely. During this time, the value of stolen funds may vary due to the volatile nature of the crypto market.
The Chainalysis cryptocurrency report estimates that criminals currently hold at least $ 10 billion in cryptocurrency, most of it obtained through theft. Thanks to the transparency of the blockchain, it is possible to trace these transactions and holdings, but the identity of the perpetrator is difficult to establish until the funds are cashed.
One can view the Bitfinex scandal as a case of attempted laundering. “The funds have not been moving for a very long time. And then, when they tried to initiate the laundering process, it was an opportunity for law enforcement to get involved again, because people are following these hacks, “said Kim Grauer, director of research at Chainalysis.
For victims of schemes, there are several ways to recover assets. “If a bank’s security fails, it’s not so bad for the bank,” said Ethan Heilman, a cybersecurity expert and co-founder of the BastionZero cloud service. “But if you’re a cryptocurrency exchange and someone empties your entire cryptocurrency, that’s really bad for you.” Banks have measures to protect their customers that are missing from the blockchain. If someone’s credit card is stolen, insurance policies guarantee that the person will usually get that money back. In the blockchain, however, transactions are irreversible – there is no cancel button.
This means that there is a huge burden of security on individual users to keep their assets safe. “End users may not necessarily be aware of the security risks they take,” Christine said. “Honestly, even people in this field don’t necessarily have time to go and review some smart contract source code.”
If someone entrusts their keys to the wrong middleman, it is possible to become a victim of a robbery. In general, most are not accustomed to this responsibility.
Crypto companies are starting to get more serious about security, Heilman said, but a world without hacks is unrealistic, he added. “You never get sure, you just get more sure,” he said. So given the ease of monetizing a vulnerability in one of these systems, I think it’s likely that we’ll continue to see how things are being hacked, and the question won’t be, “Is there a new hack this month?” are hacks common this month? ”
“There are important things that the industry needs to overcome in order to really grow and scale,” Grauer said, “because you can’t have a healthy industry if everyone is afraid of being hacked.”