A quick Google search tells me that the largest bank robbery in history happened in Baghdad, Iraq, where $282 million was stolen. It is suspected that it was an inside job, carried out by several bank guards. Meanwhile, the average bank robbery in the US, apparently, is $6,500.
It is easy to lose perspective when reading about these vast amounts of money in crypto. But compared to the real-world data above, it really hits home how big the latest hack in crypto is.
Axie Infinity is a blockchain-based trading and battling game where players can breed, raise and trade token-based creatures called Axis. This is one of the biggest success stories in crypto gaming; With a market cap of $3.9 billion, it sits in the top 50 cryptos.
Last week, Axie was hacked for $625 million. And nobody noticed.
Goodbye $625 Million
Yesterday, it was revealed that $625 million was swiped from Ronin, the blockchain of Axie. While the stolen funds were revealed in a statement on Substack, the hack actually happened six days earlier. “A security breach has occurred”, the statement begins. Yes, of course it is.
Ronin Bridge, which facilitates deposits and withdrawals, was used for 173,600 ETH (close to $600 million) and $25.5 million in stablecoin USDC. Importantly, Sky Mavis confirmed that the Axi NFT token (used to enter the Axi Infinity game), as well as the in game currencies AXS and ALP, were secure. But this investor is a startling case of negligence with respect to the custody of the fund.
We caught up with Ahmed Duas, CEO of Battle Drone, a play-to-earn game on the Solana blockchain, to get some ideas from within the industry. He said, “Bridges are still an area of development. The GameFi model is such a revolution that in the near future we will all see it have a learning curve that is similar to the hacks at the beginning of any innovation.”
How?
Sky Mavis, who runs both Axi Infinity and Ronin, said that “the attacker used the hacked private keys for fake withdrawals”. The attack was only discovered yesterday after a user was unable to withdraw 5,000 ETH ($17 million) from the bridge. The hacker had previously completed two fraudulent withdrawals.
In other words, a flaw in Sky Mavis’ code allowed the hacker to gain control of Sky Mavis’ validators, which gave the hacker the freedom to extract more than $600 million worth of coffers with third-party validators. Not only did the Sky Mavis devs drop the ball on the code, but it took them nearly a week to notice that there was a $600 million hole on their balance sheet.
Fund
This is the second biggest crypto hack of all time, right after the hack of the Poly Network last summer, although those funds were returned by the hacker. In this case, Ronin confirmed that they are “working with law enforcement officials, forensic cryptographers and our investors to ensure that all funds are recovered or reimbursed”. However, whether they succeed or not is an entirely different story; So far, any player who deposits money in Ronin has lost it all.
Ethscan shows fund location
While the blockchain is blockchain, however, the fund’s location remains to be seen at the moment – all $600 million of ETH comfortably nestles in the aforementioned wallet on the Ethereum blockchain.
The blockchain also allows messages to be input as part of a transaction. Digging through the hacker’s wallet, you can see that many investors who have lost their funds have tried desperately to appeal to any human side that may be present in the hacker’s mind.
A Victim Calls Hacker On Ethscan
It is also a reminder that despite all the progress DeFi has made, it remains a nascent industry full of risks. It’s going to be exciting places, but sometimes the journey can be rocky, as is the case for any new industry. This week, we saw over 600 million such examples.