Late last month, hackers made with what was then worth more than $500 million of the systems of the Ronin cryptocurrency network, in what is believed to be the second largest cryptocurrency heist on record.
Ronin was a juicy target for a hacker. The blockchain project is compatible with the popular video game Axie Infinity, which with an estimated 8 million players has drawn comparisons to action-packing games like Pokรฉmon Go.
Axie Infinity is hot and involves substantial sums of money. Players buy creatures called Axies in the form of NFT, unique digital assets known as non-fungible tokens. Creatures can breed, fight, and even trade for cash.
The game has grown in popularity as players see the potential to win real money. According to reports, in 2020, a 22-year-old player from the Philippines I bought two apartments in Manila with his gambling winnings. Last year, another player said that earned more through Axie Infinity and other online games from his full-time job at Goldman Sachs.
But the fundamentals of the game face significant security challenges. To play, players must move their money from Ethereum to Ronin in a blockchain "bridge" system. Ronin is a "side chain" of Ethereum, a scalable solution that allows transactions to take place faster than Ethereum, which is congested by the amount of activity it hosts. Hosting the game on this sidechain ensures that it can grow without losing functionality. Bridges can hold a large amount of money at one time, so by targeting the Ronin Bridge that transferred players' assets between blockchains, the hackers took control of the assets and made off with the money.
the united states government saying this week believes North Korean hackers are behind the heist. But it is just the latest in a series of high-profile, brazen crypto heists. In 2018, more than $530 million was stolen from the Coincheck cryptocurrency exchange. In February, hackers made off with $320 million from decentralized finance platform Wormhole (although that loot was eventually Returned). And in that same month, in perhaps the most publicized cyber heist of the year, prosecutors charged odd couple Ilya "Dutch" Lichtenstein and his wife, Heather Morgan, also known for her embarrassing TikTok raps under the name Razzlekhan, of conspiracy to wash billions of dollars in bitcoins stolen from cryptocurrency exchange Bitfinex in 2016.
it's a trend In 2021, $3.2 billion in cryptocurrency was stolen from people and services, according to a cryptocrime report by Chainalysis, a company that provides blockchain data and analytics to banks, governments, and other businesses. (Ronin is also working with Chainalysis to trace the funds stolen in the hack, according to Reuters). The figure is almost six times the amount stolen in 2020. So far this year, more than $1 billion has already been stolen, according to experts at Chainalysis and other security firms..
Vulnerabilities in smart contracts
The high-profile hacks and the substantial sums of money involved have raised questions about how vulnerable the blockchain, long considered a safe place to store assets, is to such breaches.
Some experts say the rise in crypto theft reports is because cryptocurrency is more widely used and better understood than ever.
โBasically, you have a lot of money on the table, and on a very public table,โ said Nicholas Christin, an associate professor at Carnegie Mellon University who researches online crime and computer and network security. With large sums of money moving publicly in these transparent systems, it can be tempting for a hacker to attack.
To understand how these heists are possible, it's important to distinguish between the blockchain and other programs that operate on top of it, experts say. The blockchain itself is a decentralized public ledger that enables peer-to-peer transactions. It is the fundamental layer on which bitcoin, Ethereum or Solana are built.
The second layer, the one that is frequently exploited, is smart contracts that run on top of blockchains. Smart contracts are agreements in code that are automatically executed when the terms of the contract are fulfilled. The common analogy is with a digital vending machine: select a product, enter the correct amount of money, and your item is automatically dispensed. These contracts are irreversible.
Hackers work their way to money through these second-layer systems, either by exploiting bugs in the code or by getting the private keys that will allow them to break into the systems, Christin explained. Some hackers even subvert smart contracts to redirect funds into their hands.
In the Axie Infinity hack, targeting the Ronin Bridge, the hacker obtained enough private keys to control the bridge and drain the funds. Since so many users had their assets on the bridge, the payout was huge.
โThe underlying blockchain protocol is secure,โ said Ronghui Gu, founder and CEO of blockchain security firm Certik. "But the programs, the smart contracts, that run on top of them are still just like other normal programs, which can have software bugs and vulnerabilities."
It is common for hackers to try to exploit the code of one of their targets. And it helps that much of the code for blockchain programs is open source, making it easily accessible to hackers who want to review the code and find potential bugs.
"In this world, people say 'we trust the code,' but the code itself is not that trustworthy," Gu said. When he started his blockchain security company in 2018, Gu explained, only a few companies used third-party security services like his to audit and test his code, a critical security backup, but he has seen the number rise. gradually.
Crypto exchanges are also major targets for hackers. Exchanges are like banks, they are central entities that hold massive amounts of money from their users and transactions are irreversible. Like bridges, they are an intermediary program that tends to be targeted. "Those big trades have a big target on their back," Christin said.
The victims were left with heavy load security
Once crypto assets are stolen, it can be challenging for thieves to collect, especially if the heist is in the nine-figure range. That means funds are often left in limbo for years, or even indefinitely. During that time, the value of the stolen funds may fluctuate due to the volatile nature of the crypto market.
Chainalysis' crypto crime report estimates that criminals currently hold at least $10 billion in cryptocurrency, the vast majority obtained through theft. Thanks to the transparency in the blockchain, it is possible to trace these transactions and holdings, but it is difficult to determine the identity of the perpetrator until the funds are collected.
One can look at Bitfinex scandal as a case study in attempted laundering. โThe funds did not move for a long time. And then when they tried to start the laundering process, this was an opportunity for law enforcement to get involved again, because people are following these hacks,โ said Kim Grauer, director of research at Chainalysis.
For victims of the schemes, there are few ways to recover assets. "If a bank's security fails, it's not that bad for the bank," said Ethan Heilman, a cybersecurity expert and co-founder of cloud service BastionZero. "But if you're a crypto exchange and someone empties all your crypto, that's really bad for you." Banks have measures to protect their customers that the blockchain lacks. If your credit card is stolen, insurance policies ensure that your money will usually be returned to you. However, on the blockchain, transactions are irreversible: there is no undo button.
That means there is a tremendous security burden on individual users to keep their assets safe. โEnd users may not necessarily be aware of the security risks they are incurring,โ Christin said. "Frankly, even people in the field don't have time to necessarily go and review the source code of a smart contract."
If you entrust your keys to the wrong second-layer broker, you may be the victim of a robbery. Collectively, most are not used to this responsibility.
Crypto businesses are starting to take security more seriously, Heilman said, but a world without hacks is unrealistic, he added. "You never get safer, you just get safer," he said. โSo, given the ease of monetizing a vulnerability in one of these systems, I think we're likely to continue to see things get hacked, and the question won't be, 'Is there a new attack this month?' It will be: 'how frequent are the hacks this month?'โ
"There are important things that the industry needs to get through to really grow and scale," Grauer said, "because you can't have a healthy growing industry if everyone is afraid of being hacked."
