The Future of Money with Henri Arslanian

By Henri Arslanian

5 Things To Watch Following the $600 Million Hack of Axie Infinity (#90 - 4 April 2022)

#87・ Apr 4, 2022

issues

5 Things To Watch Following the $600 Million Hack of Axie Infinity (#90 - 4 April 2022)

By Henri Arslanian • Issue #87 • View online

Dear Friends,

The second biggest hack in crypto history took place this week, with over $600 million in assets stolen from a bridge linked to the popular play-to-earn gaming platform Axie Infinity. Here are the 5 things that you need to know and that we need to watch following this hack.

Make sure to subscribe (and join the 49,000+ others who have done so) to receive your Future of Money newsletter in your inbox every week!

If you enjoy this content, you will also love what I post on Twitter (@HenriArslanian) and the library of videos on my YouTube channel.

Here we go!

5 Things To Watch Following the $600 Million Hack of Axie Infinity

The crypto ecosystem witnessed one of its biggest-ever exploits this week, with hackers stealing over $600 million worth of crypto from a bridge linked to the popular play-to-earn (P2E) game Axie Infinity.

Source: Sky Mavis

News of the hack came to light on March 29, when Sky Mavis, the Vietnam-based development studio behind Axie Infinity and Ronin Network, a sidechain that bridges the Axie ecosystem with the Ethereum network (allowing players to transfer funds back and forth between the two), confirmed the hack.

The Sky Mavis team ruled out any technical faults, attributing the attack to social engineering.

Apparently, this flaw can be traced back to last fall, when Sky Mavis requested assistance from Axie DAO, responsible for community governance, in distributing free tokens during a period of heavy user activity.

Axie DAO allowed Sky Mavis to sign off on transactions on its behalf to mitigate user volume, but this access was never revoked, ultimately leading to this week’s fallout.

All told, 173,600 wrapped Ethereum and over 25 million of the USDC stablecoin were drained, making this the second-biggest hack in crypto history, even outdoing the infamous 2014 Mt. Gox hack in terms of total amount stolen.

Source: Elliptic

The Sky Mavis and Ronin Network teams have come under heavy criticism for their belated response to the hack, which actually took place on March 23, six days before it was publicly acknowledged.

Once one user’s attempted withdrawal of 5,000 ETH from their account failed, however, it immediately became clear that something was wrong.

According to the Ronin Network team, the hackers pulled off the theft by targeting the bridge’s validation nodes.

After getting ahold of five of the nine private cryptographic keys, the threshold needed to approve digital signatures and verify transactions, the hackers were able to abscond with the crypto-assets stored on the bridge.

Crypto forensics firm Elliptic shows that the hackers have already begun to launder the stolen crypto-assets, with the stolen USDC swapped out for ETH via decentralised exchanges (DEXs) to prevent it from being seized.

Let’s not forget that stablecoins are controlled by their issuers, who can freeze tokens involved in illicit activity. Swapping the USDC for ETH removed this risk for the hackers.

And using a DEX in lieu of a centralised exchange, the hackers were able to avoid any compulsory AML/KYC checks.

Elliptic reports that the hackers then began laundering the looted ETH through three well-known centralised platforms, leading the CEOs of several prominent exchanges throughout the ecosystem to confirm that they were working with the teams at Sky Mavis and Ronin to track down the missing funds.

The hack clearly comes as a huge blow to Axie Infinity, which has surfaced as one of the most popular P2E games in the industry since its debut back in 2018.

Based on the blockchain, P2E games revolve around the buying, selling, and trading of digital assets, including NFTs.

Axie Infinity has become a huge hit with crypto aficionados and gamers alike.

Set around Pokemon-like NFT characters known as Axies, players can earn Axies by battling against other players, before selling their Axie rewards for tokens or trading their Axie for a different model.

Source: Sky Mavis

The game emerged as one of the biggest winners in the crypto ecosystem last year, generating $1.3 billion in revenue over the course of 2021 as NFTs along with metaverse and P2E tokens exploded in trading volume, occurring in tandem with soaring prices for benchmark crypto-assets like Bitcoin and Ethereum.

Axie Infinity continued this momentum into 2022, with Axie NFTs hitting $4 billion in all-time sales earlier this year.

Axies themselves have become particularly hot commodities within the NFT space.

Now, what is the impact of this development?

First, this is clearly a tragedy, as many of the people hurt by this are either young or live in developing countries.

Axie Infinity has become especially popular around the developing world, with gamers in countries like Venezuela and the Philippines reportedly earning a full-time living by flipping Axie’s in-game assets.

This is why it should not come as a surprise that many of the victims have already come out writing messages to the hackers stating that they had all of their life savings in Axie or that this may completely ruin them.

Source: @web3isgreat (Twitter)

Second, this is a reminder that hacking and theft in crypto is a serious problem.

This hack is now easily the biggest security breach in the crypto ecosystem of 2022 so far.

2021, for instance, saw around $3.2 billion worth of cryptocurrency stolen (a 516% increase from 2020).

According to Chainalysis, $2.2 billion was stolen from DeFi platforms, with another roughly half a billion looted from other places. This hack is already bigger than that.

Source: Chainalysis

Crypto crime is still a problem but remains small relative to overall crypto transactions.

For example, only 0.15% of all crypto transactions involved illicit addresses.

The third thing to focus on is the attention that this hack could potentially bring to such bridges.

The fact that this exploit took place on a bridge brings to mind another significant security breach that just took place a couple of months ago: the Wormhole exploit, in which $320 million worth of wrapped Ethereum was looted from a bridge that linked the Ethereum and Solana blockchains.

However, in that case, one prominent investor, Jump Trading, came in to cover the loss by backstopping the stolen 120,000 ETH.

This move could have arguably stemmed additional contagion and chaos within the broader Solana ecosystem.

Unfortunately, Axie does not have this kind of backing.

The fourth thing to watch is whether this brings a higher focus on governance more broadly.

In the traditional world, there is an entire industry focused on governance, policies, procedures, and controls.

Some certifications, from ISO to the SOC, are de facto mandatory precisely because they help reduce the chance of such incidents.

In this case, the Axie DAO had reportedly given authorisations to Sky Mavis in December 2021, authorisations that were never revoked.

There was no problem with the smart contract at first glance here; rather, it could have been a problem of governance and controls.

This could hopefully draw new attention to the topic of insurance, although we are still years away from such insurance products being made widely available for these types of scenarios in the digital assets space.

And the last thing to watch is whether the hacker will actually be able to launder these funds.

Whilst they were already able to launder small amounts before this news became public using a mix of centralised and DeFi exchanges, it will be almost impossible for the hacker to launder the majority.

In fact, the stolen assets are easily available for anyone to see online.

For reference, the crypto ecosystem’s biggest hack was the August 2021 exploit of DeFi protocol Poly Network, a $611 million breach.

As readers may recall from this newsletter, the Poly hack was a weeks-long saga that featured constant back-and-forth communication between the hacker and the Poly security team, with the perpetrator ultimately returning the stolen funds.

The crypto ecosystem has already seen significant breakthroughs in a couple of years-old hacking mysteries over the past two months.

Readers of this newsletter will of course remember the wacky couple arrested by the FBI in February over their connection to the 2016 hack of Bitfinex.

And later that same month, journalist and author Laura Shin revealed a potential suspect in the 2016 exploit of The DAO.

Both cases demonstrated the traceability features of the blockchain and how investigators are becoming increasingly well-versed in following the trail left behind by crypto money launderers.

As I’ve discussed before, converting the stolen crypto into fiat money is, in practice, exceedingly difficult to pull off, leaving the hackers with limited options on what they can actually do with the stolen funds.

As the fallout of the Axie Infinity hack continues, Sky Mavis has confirmed that they’ve temporarily halted all activity on the bridge connecting Ronin Network with Ethereum and that the AXS and SLP tokens that remain on the bridge (along with RON, the Ronin Network’s governance token), are secure.

Ronin Bridge’s website has also been taken down.

If I was a betting man, I’d say there is a very small but still non-negligible chance here that the hacker comes forward and agrees to give back the funds in exchange for some sort of a reward.

Given all of the reasons listed above, laundering the stolen proceeds will prove so difficult that the hacker may be better off just returning the funds.

I would put the chances of this happening at less than 25%, but it’s still probable (as we saw in the Poly Network hack) and something that I am sure many of the members of the Axie community would welcome.

However, the fact that the hacker has already begun laundering the stolen funds is not a good sign.

In any event, it will be very interesting to see how this develops over the coming days.

Definitely a story to follow.

Yield App is an innovative digital wealth platform that allows both retail and corporate clients to earn passive income at the touch of a button.

Earn market-leading rates on some of the world’s biggest digital assets, compounding and paid daily.

And if you’re a corporate client Yield App offers a secure treasury for your digital asset. Its dedicated relationship management team is on hand 24/7 to facilitate a stress-free experience.

___

My Latest Podcast Episode

Looking to learn more about today’s rapidly-evolving global stablecoin ecosystem? How do centralised stablecoins differ from decentralised stablecoins? And how are yield rates generated and determined on the major stablecoin platforms?

I cover it all with Mark Lamb, CEO of CoinFLEX.

This episode is ideal for anyone interested in an in-depth overview of all the major global developments taking place surrounding stablecoins.

You can listen to/watch the podcast here:

Spotify: https://spoti.fi/3tJqknb

Apple: https://apple.co/3wHjU9W

Google: https://bit.ly/3iC83C1

YouTube: https://bit.ly/3Lm0Guy

___

My Latest Crypto Capsule

Crypto Capsule - Ep. 109

Enjoyed this content? Make sure to subscribe or share it with a friend!

A new Future of Money newsletter will be in your inbox each weekend!

See you all next week!!

Henri Arslanian

*Please note that this newsletter reflects Henri’s personal views and not those of any organisation he is involved with. This newsletter is for educational purposes only and none of its content should be construed as investment or financial advice of any kind.

Did you enjoy this issue?

By Henri Arslanian

Future of Finance and Money - PwC Global Crypto Leader, Best Selling Author, Keynote Speaker, University Professor, Host of Crypto Capsule™ - Views are my own

Tweet

Share

In order to unsubscribe, click here.

If you were forwarded this newsletter and you like it, you can subscribe here.