Axie Infinity, a popular play-to-earn game, suffered a breach, losing $625 million in crypto — 173,600 ETH and 25.5 million USDC, a popular stablecoin.
It’s the biggest hack ever in the GameFi sphere and a bit of a public relations problem for P2E promoters, such as VC firm Andreessen Horowitz (a16z), who ambitiously describes P2E as “the future of games and really, the Web as we know it.”
The hack took place on Ronin, the Ethereum sidechain that Axie runs on. Ronin uses proof of authority, a modified version of proof of stake, where it only has nine validator nodes, all officially whitelisted — so it’s not even decentralized.
Via a backdoor, the hacker got a hold of four nodes that were controlled by the game’s Vietnamese developer Sky Mavis, and a fifth node controlled by the Axie DAO.
Because Sky Mavis wants to distance itself from Axie Infinity and in-game tokens, like AXS and SLP (smooth love potion), it created a decentralized autonomous organization.
Once the hacker controlled the majority of nodes, they were able to forge transactions, and simply remove the money from the Ronin bridge, without a hitch.
Axie said in a tweet that the hack was the result of social engineering combined with human error from December 2021, but did not elaborate. Axie promised to add new validators to the network to make it more decentralized.
Social engineering suggests something along the lines of a phishing scam.
This is different from other recent bridge attacks, like Wormhole, wherein the attack was a result of a vulnerability in the smart contract.
Six days to run for the hills
Ronin reported the hack on March 29 — but according to a Ronin blog post, the theft occurred six days earlier. Sky Mavis unwittingly discovered the breach after a user reported having trouble withdrawing funds from the network.
How on earth do you lose hundreds of millions of dollars in crypto and nobody notices for nearly a week? Axie developers not only left the door open, but they also neglected to turn on the security cameras!
All eyes are on the stolen crypto, as internet sleuths watch to see how the hackers will pull off the next part of this massive heist: laundering the funds. Clean crypto is always worth more than dirty crypto.
As soon as you convert stolen crypto to cash in your bank account, you risk revealing your identity. (Recall the two individuals recently nabbed after trying to launder bitcoin stolen from Bitfinex in 2016.)
Stablecoins can be frozen by the issuer — in this case, Circle. So the Ronin hacker laundered them quickly as possible, sending the ill-gotten USDC to decentralized exchanges Uniswap, and 1inch, and swapping it for ether.
Most of the stolen ETH remains in the attacker’s wallet, but so far, the Axie-Ronin hacker has sent 3,750 ETH ($12 million) to Huobi and 1,220 ETH ($4 million) to FTX, according to Dirty Bubble Media. Funds were also sent to Binance and Crypto.com.
Tornado Cash
Once centralized exchanges realize where the funds are coming from, they can freeze accounts and even route the money back to Ronin — if they want to, and if the funds haven’t already been chain swapped away.
Chain swapping, or chain hopping, involves sending the funds to an exchange, swapping them for another crypto, and then quickly moving those funds to another exchange. Many offshore exchanges have lax KYC controls.
Still, why didn’t the hackers use a mixer like Tornado Cash to scramble up the ETH instead?
A mixer takes funds from different users and jumbles them all together, making it difficult to track the movement of funds on a blockchain.
Tornado Cash works as a series of pools, each for a different value. You deposit coins in a pool, and sometime later, you can withdraw an equal number of coins.
The problem is, once you send crypto to a mixer, you have to wait for deposits and withdrawals from other users to achieve any real anonymity. That takes time.
And, since pretty much all of the big flows are identified as dirty, any large withdrawal is likely to be dirty as well. Also, exchanges may be reluctant to touch crypto coming out of a mixer, believing it’s all just tainted money.
“Exchanges are probably starting to get wise and just blocking Tornado Cash for non-KYC accounts because it is just SO cesspool even for them,” Nicholas Weaver, a researcher at the International Computer Science Institute in Berkeley, told me.
Binance, which integrated the Ronin wallet in September, said that as of Tuesday, it has suspended all deposits and withdrawals on Axie Infinity’s Ronin network, and it is on the lookout for unusual transactions — but again, the hackers were already ahead of the game, so it’s unclear what good this does.
(Update, April 4: The Ronin hacker is now routing funds through Tornado Cash, according to an address associated with the hack — a combined total of 2,000 ETH, or roughly $6.9 million.)
Refunding the money
Sky Mavis needs to find a way to refund Axie players, many of whom are now sitting on unbacked WETH — the ERC20 token that represents the ETH on the Ronin network.
If the game developer can’t refund players, it may have to retire the game or face insolvency, putting the entire P2E space to shame. Right now, the firm has no idea how it is going to come up with the money.
“We are fully committed to reimbursing our players as soon as possible,” Aleksander Leonard Larsen, Sky Mavis COO, told Bloomberg. “We’re still working on a solution, that is an ongoing discussion.”
The stolen funds include the deposits of players and speculators and the Axie Infinity Treasury, used to create a base revenue for the AXS token. Of the ETH stolen, 56,000 belonged to the Axie Infinity Treasury, Bloomberg said.
The real losers
Play-to-earn games are exploitive. They promise users the ability to earn money while playing. But to play, you have to first purchase expensive NFTs, which not everyone can afford.
In the case of Axie Infinity, that means purchasing three Axies — cartoon monsters that live on the Ethereum blockchain as ERC721 tokens — at a cost of up to a thousand dollars. Players pay because they see it as an income opportunity.
In the Philippines, many players resort to borrowing Axies, and becoming indentured servants, playing for weeks on end just to recoup their initial investment. Playing the game becomes a mindless slog for those trying to earn a living wage, so they can buy food and keep a roof over their heads. The game itself functions as a pyramid scheme.
Many of these players sold their in-game NFTs for ETH, which they hoped to turn into cash. Only now, the WETH in their Ronin wallets is worth nothing because there is no ETH to cover it, and they have nothing to show for all the days, weeks, and months of endless game playing. They are the real losers in all of this.
As for the P2E boosters, Axie Infinity is too important to fail. In December, Sky Mavis closed a $152-million Series B led by FTX and a16z. That was on top of a $7.5 round six months earlier with contributions from billionaire investor Mark Cuban.
A16z-backed Yuga Labs, the firm behind the popular Bored Apes Yacht Club, is also making moves into the P2E space. Its APE token will serve as the in-game currency for Animoca Brand’s Benji Bananas. The firm also recently dropped hints of another game called Otherside, where virtual land will be sold as NFTs.
Unless the Ronin hacker has a change of heart and returns the money, it looks like a superhero may have to step in to save the day. In the world of crypto, more often than not, that means pulling more money out of thin air in the form of tokens.
If you like my work, consider supporting my writing by subscribing to my Patreon account for as little as $5 a month.
Amy Castor 