Crypto Heists
Security breaches on-chain: how preventable are they?
Axie Infinity & other felonies
This week, it may have come across your newsfeed: nodes and DAOs operated by Axie Infinity creator Sky Mavis have been attacked on March 23rd, resulting in a $625 million drain off users’ bridged Ether and USDC.
Axie Infinity is an online game operating on the Ronin Network, an Ethereum sidechain. It allows its players to win tokens and is particularly popular in Venezuela and the Philippines. This is not an isolated event: in February, the Wormhole bridge had also been hacked, inducing losses of $300 million.
The list continues to grow, which is not surprising since, according to the NCC Group, the increase in attacks correlates with the increase in the use and number of players in the blockchain currency-based games and platform markets. That said, the behavior of some players in these markets, whose rules are mostly beyond the control of regulatory authorities, exacerbates the risk of hacking.
Indeed, crypto-currency exchanges and platforms are an interesting target for attackers because they deploy unprecedented systems. The Ronin heist underscores the security concerns that plague the wider market for decentralized finance, or DeFi, protocols. Around $2.3 billion was stolen from DeFi platforms in 2021. Though it can benefit potential attackers, there is a great advantage to being a first mover in the crypto-currency market.
How it (usually) works
As indicated by their name, Bridges allow for the conversion of tokens, as an exchange does for currencies. They typically lock up currency on one chain and then release the corresponding amount on a different chain. They are inherently large stores of crypto. Moreover, bridges can be either centralized (or trusted) or decentralized (untrusted). The difference lies in who has control over the tokens used to generate the bridged assets.
Best practices on these bridges would include decentralized governance (i.e. not the multi-sig vulnerability of the Ronin bridge), rapid notification of large balance drops, and open-source code for the protocol, so anyone so inclined can vet the process. However, the computer code on many bridges, like the Ronin bridge, is not centralized, that is, unaudited, and that undermines the general security of Decentralized Autonomous Organizations.
Cyber-security challenges in DeFi
DeFi contains a great upside potential, it also comes with many risks. Flaws in the code are common because anyone can launch a DeFi protocol and issue smart contracts, and inexperienced coders often make mistakes. The problem is that others are willing and able to exploit these flaws. They know that millions of dollars are at stake and have no qualms in leaving their victims out in the cold.
As centralized exchanges have tightened their cloud security controls, attackers have shifted strategies. They carry out social engineering attacks against human users using trusted schemes. The transparency of blockchains and their analytics tools constitute unprecedented capabilities for tracing virtual assets. This makes the investigation of cryptographic crimes easier, as well as the seizing of the stolen assets and the prosecution of wrongdoers.
Investigating the Ronin case
At the moment, there exists no cyber-police and most cases are conducted on a voluntary basis. Ronin developers have reportedly tracked the hacker’s wallet address, which they said still contained the stolen assets. The crypto exchanges Huobi and Binance have also expressed support for Axie Infinity in keeping an eye on any suspicious asset exchanges.
Nevertheless, governmental entities are increasingly involved in these on-chain investigations. Indeed, Chainalysis declared it was working with exchange security teams, as well as directly collaborating with government agencies to unveil the wrongdoers’ identity. It remains to be seen whether states follow the developments of the Web 3.0, and thus adapt the regulatory framework.
By Elise J.M.
