LLast month, hackers got away with what was then worth more than $500 million from Ronin cryptocurrency network systems, in what is believed to be the second-largest cryptocurrency heist on record. .
Ronin was a juicy target for a hacker. The blockchain project supports the hugely popular video game Axie Infinity, which with around 8 million players has drawn comparisons to action-oriented collecting games like Pokémon Go.
Axie Infinity is hot and involves serious amounts of money. Players buy creatures called Axies in the form of NFTs, unique digital assets known as non-fungible tokens. Creatures can breed, fight, and even be exchanged for cash.
The game has grown in popularity as players see the potential to win real money. In 2020, a 22-year-old Filipino player reportedly bought two apartments in Manila with his winnings from the game. Last year, another gamer said he earned more from Axie Infinity and other online games than from his full-time job at Goldman Sachs.
But the foundations of the game face significant security challenges. To play, players must transfer their money from Ethereum to Ronin on a blockchain “bridge” system. Ronin is an Ethereum “sidechain” – a scaling solution that allows transactions to happen faster than on Ethereum, which is congested by the amount of activity it hosts. Hosting the game on this sidechain ensures that it can grow without losing functionality. Bridges can hold a lot of cash at once, so by targeting the Ronin Bridge which transferred player assets between blockchains, hackers took control of the assets and took off with the cash.
The US government said this week it believed North Korean hackers were behind the heist. But this is just the latest in a series of brazen high-profile crypto thefts. In 2018, over $530 million was stolen from the Coincheck crypto exchange. In February, hackers seized $320 million from the decentralized financial platform Wormhole (although that loot was eventually returned). And during that same month, in perhaps the most high-profile cyber heist of the year, prosecutors charged a bizarre couple, Ilya “Dutch” Lichtenstein and his wife, Heather Morgan, – also known for rapping. wacky on TikTok as Razzlekhan – of conspiracy to launder billions of dollars worth of bitcoins stolen from crypto exchange Bitfinex in 2016.
It’s a trend. In 2021, $3.2 billion worth of cryptocurrency was stolen from individuals and services, according to a crypto crime report from Chainalysis, a company that provides blockchain data and analytics to banks, governments and to other businesses. (Ronin is also working with Chainalysis to trace the funds stolen in the hack, according to Reuters.) The figure is nearly six times the amount stolen in 2020. So far this year, more than $1 billion has already been stolen. , according to experts. at Chainalysis and other security companies.
Vulnerabilities in smart contracts
The high-profile hacks and large sums of money involved have raised questions about the vulnerability of the blockchain – long considered a safe place to store assets – to such breaches.
Some experts say the rise in reports of cryptocurrency theft comes as cryptocurrency is more widely used and better understood than ever.
“You basically have a lot of money on the table, and on a very public table,” said Nicholas Christin, an associate professor at Carnegie Mellon University who studies online crime and computer and network security. With large sums of money publicly flowing through these transparent systems, it can be tempting for a hacker to pounce.
To understand how these heists are possible, it’s important to distinguish between blockchain and other programs that run on it, experts say. The blockchain itself is a decentralized public ledger that enables peer-to-peer transactions. It is the fundamental layer on which Bitcoin, Ethereum or Solana are built.
The second layer – the frequently exploited one – are smart contracts that run on top of blockchains. Smart contracts are coded agreements that automatically execute when the terms of the contract are met. The common analogy is that of a digital vending machine – select a product, put in the right amount of money and your item will be automatically dispensed. These contracts are irreversible.
Hackers make their way to money through these second-layer systems by taking advantage of bugs in the code or obtaining the private keys that will allow them to access the systems, Christin explained. Some hackers even subvert smart contracts to redirect funds into their hands.
In the Axie Infinity hack, which targeted the Ronin Bridge, the hacker obtained enough private keys to control the bridge and drain the funds. Since so many users had their assets in the deck, the payout was huge.
“The underlying blockchain protocol is secure,” said Ronghui Gu, founder and CEO of blockchain security firm Certik. “But the programs – the smart contracts – that run on it are still like other normal programs, which may have software bugs and vulnerabilities.”
It is common for hackers to attempt to exploit the code of one of their targets. And it helps that much of the code for blockchain programs is open source, making it easily accessible to hackers who want to examine the code and find potential bugs.
“In this world, people say ‘in the code we trust,’ but the code itself is indeed not so trustworthy,” Gu said. When he started his blockchain security business in 2018, Gu said, only a few companies used third-party security services like his to audit and assess their code — a critical safety net — but he’s seen the number gradually increase. .
Crypto exchanges are also major targets for hacks. Exchanges are like banks, they are central entities that hold massive amounts of money from their users and the transactions are irreversible. Like bridges, this is an intermediate program that tends to be targeted. “These big trades have a huge target on their back,” Christin said.
The victims left with big security burden
Once crypto assets are stolen, it can be difficult for thieves to cash out, especially if the heist is in the nine-figure range. This means funds are often left in limbo for years or even indefinitely. Meanwhile, the value of the stolen funds may fluctuate due to the volatile nature of the crypto market.
The Chainalysis Crypto Crime Report estimates that criminals are currently holding at least $10 billion worth of cryptocurrency, the vast majority obtained through theft. Thanks to the transparency on the blockchain, it is possible to trace these transactions and assets, but the identity of the author is difficult to determine until the funds are cashed.
One can consider the Bitfinex scandal as a case study of attempted money laundering. “The funds have not moved for a very long time. And then when they tried to initiate the laundering process, that was an opportunity for law enforcement to get involved again, because people are following these hacks,” said Kim Grauer, research director at Chainalysis.
For victims of schemes, there are few ways to recover assets. “If a bank’s security fails, that’s not so bad for the bank,” said Ethan Heilman, cybersecurity expert and co-founder of cloud service BastionZero. “But if you’re a cryptocurrency exchange and someone dumps all your cryptocurrency, that’s really bad for you.” Banks have measures in place to protect their customers who lack blockchain. If his credit card is stolen, insurance policies guarantee that one will usually receive this money. On the blockchain, however, transactions are irreversible – there is no undo button.
This means there is a huge security burden on individual users to protect their assets. “End users aren’t necessarily aware of the security risks they’re incurring,” Christin said. “Quite frankly, even people in the field don’t necessarily have the time to go and review the source code of a smart contract.”
If you entrust your keys to the wrong second-level intermediary, it is possible that he is the victim of a robbery. Collectively, most are unaccustomed to this responsibility.
Crypto companies are starting to take security more seriously, Heilman said, but a hack-free world is unrealistic, he added. “You never become safe, you just become safer,” he said. “So given how easy it is to monetize a vulnerability in one of these systems, I think it’s likely that we’ll continue to see things get hacked, and the question won’t be, ‘is there there a new hack this month?’ It will be: ‘how frequent are the hacks this month?’
“There are important things the industry has to overcome to really grow and evolve,” Grauer said, “because you can’t have a healthy growing industry if everyone is afraid of being hacked.”