$625M Worth of Cryptocurrencies Stolen in Hack
20:26 GMT 30.03.2022 (Updated: 20:43 GMT 30.03.2022)
© Photo : Pixabay
Subscribe
Roughly $625 million worth of Ethereum (ETH) and USDC, a stablecoin pegged to the price of USD, has been stolen from the popular cryptocurrency and NFT powered Axie Infinity game.
The hack occurred last week but went unnoticed by the company until a user tried to withdraw a large amount of ETH and failed. The company revealed the hack in a blog post Monday night.
According to the blog post, the hacker exploited the Ronin sidechain, which acts as a bridge between the main Ethereum blockchain and the Axie Infinity game. Sidechains are used to add functionality and usability to blockchains, in this case enabling a large number of transactions without users having to pay fees to the Ethereum blockchain until they cash out.
The sidechain was secured through nine nodes that validate and approve transactions. Unlike Bitcoin or Ethereum’s main chain, which consists of thousands of nodes distributed across the world in a decentralized manner, eight Ronin sidechain nodes were controlled by Sky Mavis, the parent company of Axie Infinity, and one was controlled by the Axie Distributed Autonomous Organization (DAO), which is technically independent.
The hacker, according to Sky Mavis, was able to infiltrate four of their nodes and the Axie DAO node and used that along with their gas-free RPC node, essentially the node that communicates with the Ethereum blockchain remotely, to perform the hack.
Sky Mavis says they are working with law enforcement and blockchain analysis company Chainanalysis to track the funds. Most major exchanges, including Binance, Crypto.com, Huobi and FTX, have indicated that they are aware of the situation. The Ronin sidechain and its automated market maker Katana have been shut down until the situation stabilizes.
Axie Infinity is a game that allows users to trade, breed and fight monsters to gain rewards in the form of two ETH-20 tokens, Axie Infinity Shards (AXS) and Smooth Love Potions (SLP). ETH-20 is a token protocol that can be traded on the Ethereum blockchain but is separate from base Ethereum currency and has increased functionality. ETH-20 is the most popular token type for NFTs.
My apologies to all Team A P'Tua ❤️🤣#AxieInfinity pic.twitter.com/7b3p5umLf2
— Saint Guegue NFTs (@SaintGuegue) March 29, 2022
While sidechains and bridges are extremely useful for large scale projects that require millions of transactions like Axie Infinity, Vitalik Buterin, the inventor and creator of Ethereum, warned about their inherent dangers in a reddit post two months ago.
“51% attacking even one chain is difficult and expensive. However, the more usage of cross-chain bridges and apps there is, the worse the problem becomes. No one will 51% attack Ethereum just to steal 100 Solana-WETH [Wrapped Ethereum] (or, for that matter, 51% attack Solana just to steal 100 Ethereum-WSOL). But if there's 10 million ETH or SOL in the bridge, then the motivation to make an attack becomes much higher, and large pools may well coordinate to make the attack happen. So cross-chain activity has an anti-network-effect: while there's not much of it going on, it's pretty safe, but the more of it is happening, the more the risks go up.”
A 51% attack is when a malicious actor obtains more than 50% of a blockchain’s hashing power or nodes in order to perform fraudulent transactions, for example, sending the same coins twice.
The Axie Infinity sidechain obviously had enough ETH and USDC that compromising five centralized nodes was worth it to the hacker. The hacker, however, may find it difficult to cash out their ill gotten gains. In August 2021, a hack of the Poly Network worth over $600 million was eventually returned in full after the hacker’s IP address and emails were revealed by a security firm.
Meanwhile, the Axie hacker has made some puzzling decisions. A small amount of the stolen funds have been sent to centralized exchanges, like Binance. Centralized exchanges follow Know Your Customer (KYC) and Anti-money Laundering (AML) laws, preventing them from being a haven to launder money.
29 January 2022, 04:19 GMT
As CoinDesk points out, it is possible that the hacker is using purchased or hacked accounts, but it would still be difficult because centralized exchanges will likely prevent the stolen funds from being traded for other coins or sold for fiat currencies. And even if they did manage to sell the stolen funds on a centralized exchange and then cash out, doing so would reveal the hacker’s bank account information.
It is hypothesized by law enforcement that the hacker will eventually send the stolen coins to a decentralized exchange, a cryptocurrency exchange run by individuals around the world not unlike cryptocurrencies themselves, and exchange it for a privacy focused coin like Monero or ZCash.
There they will flip the privacy focused cryptocurrencies back into the decentralized exchange for a typical coin like Bitcoin or Ethereum and then transfer it slowly to a centralized exchange for an eventual sale into fiat. With such a large amount, it is not guaranteed that the hacker will be successful in laundering their funds, but their current behavior of sending it to centralized exchanges remains baffling.
For now, most of the stolen ETH is unusable. A clever hacker stole $625 million, but currently has nothing to show for it.
