Axie Infinity has become the face of the play-to-win blockchain gaming ecosystem, with its gaming platform attracting 2.5 million daily active users. However, earlier this week, he revealed that he was the latest victim of a attack in which $600 million in Ether and USDC was mined from its Ronin bridge. As it has since emerged, the people at the bottom of the pyramid, on whose shoulders Axie and other platforms become multi-billion dollar companies, continue to take the biggest hit.
As CryptoReport reported, Sky Mavis, the company behind Axie Infinity, announced on March 30 that it had discovered an attack that took place a week earlier on March 23. The attackers stole 173,600 ETH and 25.5 million USDC. First, that Sky Mavis only noticed an attack a week later when a user tried and failed to withdraw 5,000 ETH is worrying in itself, as Securitize Capital CEO Wilfred Daye opined.
The blockchain trilemma and how Ronin’s security was breached
So, first of all, what is the Ronin Bridge? It goes back to Ethereum and the scaling issues with it. Axie Infinity runs on Ethereum, but due to very high transaction costs, Sky Mavis had to find a way to keep running that would not be prohibitively expensive for users, many of whom are from developing countries and rely on play2earn to power their families and pay the rent.
Sky Mavis opted for a sidechain (a private blockchain running on top of Ethereum that eliminates the need to pay very high network fees), initially partnering with Loom Networks in 2020. However, the company later decided to phase out the middleman and developed its own side chain, known as Ronin.
Due to recent events, we will be shutting down our Loom Validator today and migrating Land and Items to a new scaling solution over the coming months.https://t.co/lgoCcRnqQb
– Axie Infinity🦇🔊 (@AxieInfinity) March 15, 2020
As the blockchain trilemma dictates, when solving for scalability, developers often have to sacrifice either decentralization or security, and for Sky Mavis, it was both. After all, the more centralized a system becomes, the more insecure it becomes as a result.
So, back to Ronin. Being a private blockchain, Ronin operates on the proof-of-authority consensus mechanism, which is much more centralized than proof-of-work or even proof-of-stake. In PoW, transactions are validated by thousands of nodes, but in PoA, only a small set of validating nodes are needed, and these are selected by the operator, in this case Sky Mavis. This makes such a system dangerously centralized and easy to infiltrate.
For Ronin, there were only nine validation nodes, which in hindsight sounds ridiculous for a channel that processed tens of millions of dollars in in-game assets for more than two million users daily.
This turned out to be Ronin’s Achilles heel. As Sky Mavis revealed in an autopsy, the attackers gained access to the company’s systems and gained control of its four validation nodes. They then managed to gain control of a fifth validation node managed by Axie DAO, an organization created to support developers in the ecosystem.
With most of the validating nodes, the attackers could do whatever they wanted and chose to drain the Ronin bridge of ETH and USDC.
The consequences of the hack for Axie Infinity users
Since then, Sky Mavis has vowed to recover players whose funds were lost in the attack, though details of how it will do so are unknown. However, in the past, we have seen wealthy investors compensating retail users for exploits, most recently Jump Trading, a Chicago firm backing the Wormhole bridge connecting Solana and Ethereum that was mined for $320 million. Jump trading oroffered to reimburse to investors whose funds were taken.
With Sky Mavis, however, it is not yet clear whether the powerful backers will be the ones to compensate investors. The company counts Andreessen Horowitz, Accel and Paradigm as investors in its latest funding round in October last year, where it raised $152 million at a $3 billion valuation.
Mark Cuban, the billionaire who used to be anti-Bitcoin but is now an outspoken fan, and Reddit co-founder Alexis Ohanian (who raised $200 million to invest in Web3 in December) are also investors in Sky Mavis, as are Animoca Brands, the company behind The Sandbox.
But whatever happens to Ronin, these billionaires and venture capital funds are feeling the least hot, despite being the biggest winners.
Catherine Flick, Associate Professor of Computer Science and Social Responsibility at De Montfort University in the UK, opined:
In terms of who gets hurt the most by this, it’s not the venture capitalists. Even a few days of delay in recharging the bridge, that will affect someone who feeds their family or pays the bills, and in a much, much greater way than having a little problem in someone’s investment portfolio.