- Axie Infinity’s Ronin bridge was attacked ten days ago, with $600 million in ETH and USDC drained after attackers accessed Sky Mavis validator nodes.
- Since then, it has become clear, as it always does, that the people who gain the most from crypto ecosystems are also the ones who lose the least when things go sideways.
Axie Infinity has become the face of the blockchain play-to-earn gaming ecosystem, with its gaming platform attracting 2.5 million daily active users. However, earlier this week, it revealed it was the latest victim of an attack in which $600 million in Ether and USDC were drained from its Ronin bridge. As it has emerged since then, the people at the bottom of the pyramid, upon whose shoulders Axie and other platforms become multi-billion dollar enterprises, are still the ones taking the biggest hit.
As CNF reported, Sky Mavis, the company behind Axie Infinity announced on March 30 that it had discovered an attack that took place a week earlier on March 23. 173,600 ETH and 25.5 million USDC were stolen by the attackers. First off, that Sky Mavis only noticed an attack a week later when a user tried and failed to withdraw 5,000 ETH is worrying in itself, as Securitize Capital CEO Wilfred Daye opined.
The blockchain trilemma and how Ronin was breached
So, first off, what is the Ronin bridge? It goes back to Ethereum and its scaling issues. Axie Infinity runs on Ethereum, but due to the very high transaction costs, Sky Mavis had to find a way to keep running that wasn’t prohibitive to the users, many of whom are from developing nations and depend on the game to make money to feed their families and pay rent.
Sky Mavis opted for a sidechain (a private blockchain that runs on top of Ethereum that removes the need to pay the very high fees on Ethereum), initially partnering with Loom Networks in 2020. However, the company later decided to eliminate the middleman and developed its own sidechain, known as Ronin.
Due to recent events, we will be shutting down our Loom Validator today and migrating Land and Items to a new scaling solution over the coming months.https://t.co/lgoCcRnqQb
— Axie Infinity🦇🔊 (@AxieInfinity) March 15, 2020
As the blockchain trilemma dictates, by solving scalability, developers often have to sacrifice either one of decentralization or security, and for Sky Mavis, it was both. After all, the more centralized a system gets, the more insecure it consequently becomes.
So, back to Ronin. Being a private blockchain, Ronin operates on the proof-of-authority consensus mechanism which is much more centralized than proof of work or even proof of stake. In PoW, transactions are validated by thousands of nodes but in PoA, only a small set of validator nodes are needed, and these are picked by the operator, in this case, Sky Mavis. This makes such a system dangerously centralized and easy to infiltrate.
For Ronin, there were only nine validator nodes, which in retrospect sounds ludicrous for a channel that was processing tens of millions of dollars in in-game assets for over two million users daily.
This turned out to be Ronin’s Achilles’ heel. As Sky Mavis revealed in a post mortem, the attacker(s) gained access to the company’s systems and gained control of its four validator nodes. They then managed to gain control of a fifth validator node run by Axie DAO, an organization built to support developers in the ecosystem.
With a majority of the validator nodes, the attacker(s) could do whatever they wanted, and they chose to drain the Ronin bridge of the ETH and USDC.
Deposits & Withdrawals on Ronin Network Partially Resumedhttps://t.co/LRZ4GPz9mQ
— Binance (@binance) April 2, 2022
The Axie Infinity fallout and why it’s the little man that feels the effect
Since then, Sky Mavis has pledged to make whole the players whose funds were lost in the attack, although the details as to how it will do this remain unknown. However, in the past, we have seen deep-pocketed investors compensate retail users for exploits, most recently Jump Trading, a Chicago firm that backs the Wormhole bridge connecting Solana and Ethereum that was exploited for $320 million. Jump Trading offered to refund the investors whose funds were taken.
With Sky Mavis, however, it’s still unclear as to whether the powerful backers will be the ones to compensate the investors. The company counts Andreessen Horowitz, Accel and Paradigm as investors from its latest funding round in October last year where it raised $152 million at a $3 billion valuation.
Mark Cuban, the billionaire who used to be anti-Bitcoin but is now an outspoken fan, and Reddit co-founder Alexis Ohanian (who raised $200 million to invest in Web3 in December) are also investors in Sky Mavis, as is Animoca Brands, the company behind The Sandbox.
But whatever happens with Ronin, these billionaires and venture capital funds are the ones to feel the least heat, despite being the biggest gainers.
Catherine Flick, associate professor in computing and social responsibility at De Montfort University in the U.K. opined:
In terms of who gets harmed the most by this, it’s not the venture capitalists. Even a few days’ delay in refilling the bridge, that’s going to affect someone feeding their family or paying bills, and in much, much greater a way than having a bit of a blip on someone’s investment portfolio.