A quick Google search tells me that the biggest bank heist in history took place in Baghdad, Iraq, where $282 million was stolen. It is suspected that it was an inside job, orchestrated by several bank guards. The average bank robbery in America, meanwhile, is apparently $6,500.
It’s easy to lose perspective when reading about these vast amounts of money in crypto. But against the above real-world figures, it really hits home how large the latest hack in crypto is.
Axie Infinity is a blockchain-based trading and battling game where players can breed, raise and trade token-based creatures called Axies. It is one of the biggest success stories in crypto gaming; at a market cap of $3.9 billion, it sits inside the top 50 cryptos.
Last week, Axie was hacked for $625 million. And nobody noticed.
Bye Bye $625 million
Yesterday, it was revealed that $625 million was swiped from Ronin, which is the blockchain underlying Axie. While the stolen funds were revealed in a statement on substack, the hack actually occurred six days earlier. “There has been a security breach”, the statement starts off. Yeah, there certainly has.
The Ronin bridge, which facilitates depositing and withdrawing, was exploited for 173,600 ETH (close to $600 million) and $25.5 million of the stablecoin USDC. Importantly, Sky Mavis did confirm that the Axie NFT tokens (used to enter the Axie Infinity game), as well as the in game currencies AXS and ALP, were safe. But it’s a staggering case of negligence with regards to custody of investor funds.
We caught up with Ahmad Duais, CEO of Battle Drones, which is a play-to-earn game on the Solana blockchain, in order to get some thoughts from within the industry. He said “bridges are still an area of development. The GameFi model is such a revolution that in the near future we will all look back at this as a learning curve similar to the hacks that have occurred at the start of any innovation."
How?
Sky Mavis, who run both Axie Infinity and Ronin, stated that “the attacker used hacked private keys in order to forge fake withdrawals”. The attack was only discovered yesterday when a user was unable to withdraw 5,000 ETH ($17 million) from the bridge. The hacker had previously completed two fake withdrawals.
In other words, a flaw in Sky Mavis’ code allowed the hacker to gain control of Sky Mavis’ validators, which along with a third-party validators granted the hacker freedom to drain the coffers to the tune of over $600 million. Not only did Sky Mavis’ devs drop the ball on the code, it took them nearly a week to notice they had a $600 million hole on their balance sheet.
Funds
It is the second biggest crypto hack of all time, just behind the hack of Poly Network last summer, although those funds were returned by the hacker. In this case, Ronin confirmed they are “working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed”. Whether they succeed or not is an entirely different story, however; as of right now, any players who deposited money into Ronin have lost it all.
Ethscan shows the location of the funds
Blockchain being bockchain, however, the location of the funds can be seen at the moment – with all $600 million of ETH nestling comfortably in the above wallet on the Ethereum blockchain.
The blockchain also allows for messages to be inputted as part of transactions. Digging through the hacker’s wallet, you can see several investors who lost their funds have desperately tried to appeal to any human side that may exist within the hacker’s mind.
A victim cries out to the hacker on ethscan
It’s also a stark reminder that for all the progress DeFi has made, it remains a nascent industry laced with risk. It’s going to exciting places, but the journey at times may be rocky, as for any new industry. This week, we saw over 600 million examples of such.