Ronin bridge hack upside
Welcome to the free (weekly) version of GamesTX. Subscribe to the paid daily version below.
Given I recently wrote ‘the anti-bear case for Axie Infinity’, how does the $620 million hack of its Ronin blockchain’s Ethereum bridge stack up?
For one thing, it’s important not to trivialize the situation.
As measured on the Rekt leaderboard of blockchain hacks, this is the #1 hack of all time, beating out the $610 million Poly Network hack from August 2021.
(Although pedantically the Ronin hack has now been disputed as being $552 million.)
Also, given it’s long been understood that bridges between blockchains are a major vulnerability — they’re the most centralized parts of infrastructure and hold large amounts of value — it’s surprising just how easy this hack was to pull off.
There wasn’t any clever coding involved. Of the nine validator nodes, the attacker needed to control five of them, which was fulfilled by gaining access to the four nodes run by Sky Mavis and the node run by the Axie Infinity DAO, to which Sky Mavis had special access thanks to an temporary fix to ease congestion in late 2021 that wasn’t revoked.
This is very sloppy security; something Sky Mavis has now rectified (in part) by requiring eight of the nine validators to agree before a transaction is cleared through the bridge. More validators will be added in future.
As also noted by many commentators, it’s embarrassing Sky Mavis didn’t notice the hack had occurred until six days later when it was notified something was amiss by a user who couldn’t transfer 5,000 ETH out of the bridge back to Ethereum because all the ETH had been drained.
In terms of operational security, it’s hard to imagine a worst case scenario; perhaps if it was an inside job. In that context, we don’t actually know how the attacker gained access to Sky Mavis’ nodes.
What’s next?
Obviously, we should now expect Sky Mavis to significantly boost its security and pay a lot more attention to the operational side of its business, including the rapid decentralisation of Ronin, which up to this point has been a centralized proof of authority blockchain.
Despite its impact and funding, Sky Mavis has been a small team doing too much, and I’d imagine the focus on infrastructure (if at all) has been on ensuring it could fulfil the demands of Axie Infinity rather than it having its own raison d’etre.
After all, that was the reason for the temporary fix giving Sky Mavis access to the Axie Infinity DAO node. This has to change.
Harder to repair will be the reputational damage to Axie Infinity, within the wider blockchain space and more generally too. Naysayers have been enjoying the opportunity for a good dose of schadenfreude.
Conversely, my gut feeling is that for those already committed to Axie Infinity and Sky Mavis (people like me, indeed), the situation is a weirdly positive (or anti-negative) one. If nothing else, it could have been worse.
Hacking a bridge is significant but it’s for most users it feels like a victimless crime. The only things taken were the ETH and UDSC tokens ‘locked’ into the bridge. All assets on the Ronin blockchain remain in place. No-one lost their NFTs.
Honestly, my initial reaction was to see how much the RON price had dropped — disappointingly it was only down 20% (AXS was down 5%) — and buy some more.
More generally, Axie Infinity has always been held up as an example in terms of its community and broadly I think this is going to generate greater cohesion, particularly as this is a team which is building a lot of new, exciting things, notably the imminent launch of Axie Infinity: Origin, which will be the first version of the game distributed via apps stores.
But this isn’t a victimless crime. The ongoing issue is the Ronin-Ethereum bridge is missing 173,600 ETH and 25.5 million USDC, most of which is still sitting in the attacker’s wallet.
(You can make a bet on whether Sky Mavis will recover the funds! Blockchain skeptic Lars Doucet thinks not.)
But, those tokens are the liquidity people (like me) and companies transferred from their wallets on Ethereum blockchain to the Ronin sidechain and which needs to be replaced both from an accounting point of view — no double spending here! — as well as from a confidence point of view.
In that context, the case scenario could get worst. The questions to be answered over the coming weeks are:
How did the hacker access Sky Mavis’ nodes?
How will Sky Mavis replace the lost funds?, and
When the bridge is reopened, how much liquidity will flow out from Ronin back to the safety of Ethereum?
The first question definitely has the potential to further increase reputational damage, and the second isn’t trivial either. The Axie Infinity treasury is worth $1.6 billion but only $200 million of that is in ETH (56,000 ETH) and it’s not clear the Axie community would countenance such a move.
But it’s the third question that will demonstrate whether the hack goes down in history as ‘just growing pains’ or something more serious. Much of the anti-bear thesis around Sky Mavis is that as well as having the most popular blockchain game, it also operates a blockchain, which has strong upside potential to become an open ecosystem for many developers and games.
The hack is a wake up call for Sky Mavis specifically and (another for) the blockchain gaming sector in general about the importance of boring things such as system operations and security.
Gaming ecosystem Vulcan Forged was also hacked for $140 million in late 2021 but is generally thought to have recovered the situation well and increased its reputation.
Similarly, if Sky Mavis can demonstrate humility and hard lessons learned, the situation will reinforce its long term plans for Ronin: what doesn’t kill you makes you stronger etc.
If not, there are plenty more competitors ranging from L1s like Solana (itself bridge-hacked for $320 million), Avalanche, Flow and Polkadot to L2s such as Immutable X, Loopring, Starknet, Arbitrum and Optimism happy to onboard the growing number of game developers looking for solid infrastructure on which to build the next ‘Axie killer’.
In other words, the hard work really starts now.
Product news
OpenSea has announced it will add support for trading NFTs on Solana in April. OpenSea currently supports Ethereum, Polygon and Klatyn, with the vast majority of activity happening on Ethereum.
However, in recent months, Solana has established itself as the #2 blockchain for NFT trading, with over $147 million of monthly trading volume in the past 30 days, compared to $1.8 billion for Ethereum and $56 million for Avalanche.
Competitors include Solana-only marketplaces such as Justin Kan’s Fractal and Magic Eden, which recently raised $27 million.
Free NFTs news
Attendees of the NFT LA conference are getting a free Blankos NFT.
Up to 1,500 mints of Lovesick Angeleno will be available but while 35 have currently been minted, none are yet on sale.
Peak The Sandbox news
Digital investment fund Rendezvous Equity has sold out its holdings in The Sandbox for 515 ETH (around $1.7 million), up 136%.
In a Twitter thread, it says it believes The Sandbox’s value is inflated, especially in comparison to platforms such as Roblox, and calls the experience “subpar”.
Instead Rendezvous is now investing in Minecraft-linked blockchain metaverse NFT Worlds, acquiring 32 of its land NFTs (worth around $1.1 million).