The Axie Infinity hack, what happened, and why people keep talking about bridges
On March 23, cryptocurrency priced at around $625 million was stolen from the Ronin network, which is the blockchain that powers the game Axie Infinity.
What is Axie Infinity?
Axie Infinity is a play-to-earn game with mechanics quite similar to Pokémon battles. Each player assembles a team of critters called “Axies”, which have different traits and strengths, and can be battled against other players’ teams. These Axies are somewhat pricey—the price fluctuates and depends quite a bit on which Axie you wish to buy, but the cheapest ones (prior to the hack) were around $25 each. During peak Axie popularity, the cheapest Axies cost more than $100.1 Given that a player needs at least three Axies to play, this is a substantial barrier to entry, and so “scholarship programs” have developed in which organizations buy the Axies and provide them to players, who in turn give the “scholarship” organization a cut of their earnings. This has resulted in many such organizations relying on players located where wages are low—more than half of Axie players were based in the Philippines as of November 2021. During May–August 2021, back when the game’s economy was fairly nascent and had not yet hit an inflection point with regards to its inevitable inflation, skilled players were able to make considerably more than the roughly $41/day average wage in the Philippines, even after accounting for the cut taken by the scholarship organizations. By November 2021, only the skilled players were making above even minimum wage—and only barely—despite the continuing narrative that Axie was changing lives in the Philippines by allowing people to play video games for a living.2
How does it work?
After assembling their team of “Axies”, bought with WETH, players battle against each other to earn “smooth love potions” (SLP). These SLP can then be spent to breed Axies, or cashed out into other forms of cryptocurrency and then, potentially, into real-world money. Axie Infinity also has a separate token, AXS, which is used both for governance and for breeding, and another token, RON, which is used to pay transaction fees. There are, of course, speculative markets for each of these. Ronin also supports USDC, a stablecoin that is pegged to the US dollar, for people who like to hedge against the volatility of the other supported tokens. And finally there are the NFTs—the Axie characters that are battled, bred, bought, and sold are each represented as an NFT. Are you keeping up?
Why doesn’t the game just use the Ethereum network, like so many other applications? Well, it does, sort of. The problem with the Ethereum network is that it’s quite slow and expensive to use. Depending on network congestion, transactions can take minutes or even days to be confirmed, and if you want your transactions to go through more quickly you have to pay more. Transaction fees cost between a few dollars and many tens of dollars. This is not exactly a hospitable environment in which to build a video game.
So, Sky Mavis (the company behind Axie Infinity) created what is called a sidechain. It’s based on the same protocol as Ethereum, but it operates independently from the Ethereum mainnet and uses a different consensus mechanism. Instead of the Ethereum miners that continuously grind away solving math problems in hopes of validating the next transaction (proof-of-work), the Ronin sidechain is based on proof-of-authority—that is, all of the validators are operated by known, trusted parties, and so don’t have to do all that expensive work to establish that they’re following the rules. It is more efficient than proof-of-work, but at the expense of decentralization. More on this later.
Ether, abbreviated to ETH, is the token underpinning the Ethereum mainnet. It is also not very interoperable—it predates the ERC-20 token standard that is used by many newer tokens. “Wrapped Ether”, or WETH, is simply the ERC-20 version of ETH on Ethereum, and it can be found on many different blockchain networks (thanks to bridges, more on that soon) where people wish to transact using their Ethereum without exchanging it for some other token. The value of WETH is pegged to that of ETH—that is, one WETH will always be worth one ETH.
Some people buy their SLP, AXS, RON, and WETH using standard currency by way of the Ronin Fiat Onramp (the “Ramp”)—use your credit card to transfer $20 in, and voila, you get $20 worth of any of those four tokens in your Ronin wallet (minus fees). But this isn’t much use for people who already have their money in crypto, and it’s also unidirectional—you can’t cash out your SLP for U.S. dollars (or any other fiat currency) via the ramp, which is a bit of a blocker for those trying to pay the bills by playing Axie Infinity.
So how does one get their crypto to Ronin, or cash out their Ronin crypto? And how does one “wrap” their Ether? This is where the Ronin Bridge comes in. Although Binance and two other (small) exchanges that support the Ronin network allow users to exchange some of the tokens from Ethereum to Ronin and back again, the safest and most common way people move their tokens around is via the Ronin Bridge. A bridge is really just two corresponding smart contracts on two networks—in this case, one on the Ethereum network, and one on the Ronin network. When someone sends a token like ETH to the Ronin Bridge, it is “locked” in the Ronin bridge—held so that it can’t be spent elsewhere on the Ethereum network. Simultaneously, the contract on the Ronin side creates an equivalent token—WETH—and deposits it into the user’s Ronin wallet. To the user it looks like their Ethereum moved from one network to the next, but the details of how this works are important.
Blockchain bridges work somewhat like a casino. When you go to a casino, you take your regular dollars and trade them for casino chips. You can do whatever you please with your casino chips inside the casino, but they’re not much use to you anywhere else. When you’re all finished, you go back to the desk and trade your casino chips back out for dollars. Although they’re just plastic, your stack of casino chips might represent quite a lot of money. But if something happened such that the person at the desk no longer had sufficient cash for you to cash out your casino chips, you might suddenly find your stack of chips aren’t worth very much.3
As I mentioned earlier, the Ronin network relies on a number of trusted validators to process transactions in the network. As it turns out, there were only nine validators in total (Ethereum, by comparison, has thousands of miners). This increased the risk of what is known as a 51% attack—when a malicious actor is able to compromise more than half of the validators on the network—since the attacker only needed to compromise five of the nine validators. And sure enough, an attacker was able to compromise four of the validators run by Sky Mavis, plus a fifth validator run by Axie DAO (a community-run organization supporting the Axie Infinity project). They then forged withdrawals, used their five compromised validators to validate the transactions, and drained 173,600 ETH and 25.5 million USDC that had been locked in the bridge. At today’s prices, assuming they were able to cash it out, this would be more than $625 million.
This is just a shocking amount of money. This appears to be the largest hack in the history of defi—at least in terms of the value of money at the time of theft. It’s second to the August 2021 Poly Network hack of $611 million, although in that case the majority of those stolen funds were later returned by the exploiter, who claimed to have been a white hat hacker demonstrating the vulnerability.4
I’m quite concerned for the Axie userbase, given the narrative that playing Axie Infinity can become someone’s job—particularly in developing countries. I feel like we’re seeing more and more incidents like this one, where it’s not just someone losing some extra cash that they decided to take a risk on, but people losing the money that they need to live. Another recent example was the March 27 exploit of Cashio, where the companies supporting that protocol have urged the hacker to return the funds because they may be “users’ life savings on leverage, and many of us will seriously be affected financially after this incident”. Someone saying they were affected by that hack sent a message to the hacker via Ethereum transaction where they wrote, “Hello, we lost our family savings worth $558k and [are] now facing a financial disaster”; another sent a message saying they had put all of their money plus a $35,000 loan from family into the protocol.5
I was also startled by Sky Mavis’s claim that they were not aware of the hack (perpetrated on March 23) until March 29 when a user reported issues withdrawing funds. If we take them at their word, that means they were missing $625 million for six days without realizing it, which is jaw-dropping. The alternative explanation is that they were aware and didn’t publicly announce it, which would mean they left their bridge and exchange operational for days despite a huge vulnerability, and were allowing users to buy in and transact with tokens that were largely unbacked. Either they are handling money in a completely irresponsible way, or they acted irresponsibly toward their users, and neither is good.
As far as the attacker, they have transferred relatively little out of the wallet that is known to be associated with the hack. This is somewhat unusual—typically after big hacks like this we see the hackers try to launder the crypto as quickly as they can before exchanges start freezing wallets. Sky Mavis has spoken about trying to recover the stolen funds—I think only time will tell how that goes. It’s not an easy task, but $625 million is certainly a strong motivator both for Sky Mavis, their investors, and law enforcement.
If Sky Mavis doesn’t recover the funds, they’re in a tough spot. The various tokens that operate on the Ronin network are now majorly unbacked. They could go the Wormhole route, and come up with $625 million to restore backing.6 I would say this seems unlikely, but I would’ve said Wormhole coming up with $320 million was unlikely too, and I was shown to be wrong on that one. The company lists some pretty big names among its investors—they raised $152 million in Series B funding in October 2021 from firms including Andreessen Horowitz, Accel, and Paradigm, valuing the company around $3 billion.
Sky Mavis has been continuing to make promises to reimburse their users regardless of whether the funds are recovered. However, even if they know they won’t be able to come up with that kind of money, they have a strong incentive to keep people believing that they can: the promise of a bailout is likely the only reason the various Axie tokens have any value left at all. The tokens have plummeted in value, but not to zero—we saw a similar thing happen in the aftermath of the Wormhole exploit, which seemed to be users holding out for good news.
“Axie Infinity: Infinite Opportunity or Infinite Peril?”. Naavik. November 12, 2021. ↩︎
Thankfully, casinos are fairly tightly regulated (at least in the United States), and required to carry insurance. The same is not true of Axie Infinity. ↩︎
”$611 million is stolen from Poly Network in one of the largest cryptocurrency heists to date”. Web3 is Going Just Great. ↩︎
“Wormhole, a cross-blockchain bridge, is hacked for more than $320 million in one of the largest hacks to date”. Web3 is Going Just Great. ↩︎
Disclosures for my work and writing pertaining to cryptocurrencies and web3 can be found here.