Big hacks say a lot about the crypto ecosystem. The Axie Infinity hack makes no exception. Perhaps the biggest crypto hack of all time leads into a maze of NFTs, DAOs, sidechains and the Metaverse to end up in North Korea.
At around $660 million, it was perhaps the biggest crypto hack of all time, and at first glance, I have little understanding of what was involved:
The Metaverse, a game, digital land, Non Fungible Tokens (NFTs), a DAO, the Ronin Sidechain… and to top it off: hackers from North Korea.
So we have to unravel a rather tangled ball of yarn, which, measured in terms of the sum, is not entirely unimportant. So let’s start at the beginning if possible.
When settlers and Pokemon give birth to a blockchain child…
Axie Infinity is a “blockchain game”, a mix of settlers and Pokemon. It was developed by Sky Mavis, a company from South Korea.
You can buy and hatch creatures called Axies, and then lead them into battle. All of this takes place in the land of Lunacia. There you can also buy land to farm resources and items and form your own kingdoms.
With a software kit you can edit the land to create your own games, dungeons or battlefields. In this way, Lunacia should be further developed in a decentralized manner, and players should also be able to earn money by adding places and quests to the world.
All of this is represented by tokens on a blockchain, by NFTs, originally on Ethereum. This allows to verify everything that happens and to trade the creatures, lands, resources and items.
Is it still a game – or is it work?
In principle, Axie Infinity does not create anything fundamentally new. The foundations for such blockchain games were there at the latest with the CryptoKitties that you could hatch and trade, and many games have associated such NFTs with combat and exploration.
However, Axie Infinity made the breakthrough. Axies and land worth $3.6 billion were traded; the most expensive Axie sold for $820,000 and is said to be played by 2.8 million people a day. This makes Axie Infinity a hugely successful game that has no equal, at least in the blockchain world.
Although “play” might be the wrong word. “Work” could be more appropriate. Where Ikea asked whether we still live or are already living, Axie Infinity asks whether we are still playing or already toiling away.
An NBC report reports how Axie Infinity is creating thousands of jobs in countries like the Philippines, Brazil or nations in Africa as people earn Smooth Love Potion (SLP) tokens through gambling. Clickworking in games has long been common practice, but Axie Infinity takes it to a new level.
The SLP tokens are one of the two in-game currencies. The other is AXS. This is probably a prerequisite for playing and serves as a governance token for the Axie-DAO, which enjoys a kind of directive authority for the further development of the game.
Axie Infinity is definitely doing something right. It is the first blockchain game or “metaverse project” to become truly successful.
Off to the Ronin sidechain
But with the success came the problems. As early as mid-2020, the developers recognized that a constant thorn in their side was “the congestion of the Ethereum network … Fees stay low for months, only to suddenly shoot up again and bring our economy to a standstill.”
In order for Axie Infinity not to get stuck with the early adopters, but to “reach our second, third and fourth degree connections (the friends and families of our friends and families)”, a permanent solution is needed. That solution is the Ronin sidechain .
Ronin is an “Ethereum-connected sidechain built specifically for Axie Infinity.” It’s a kind of slimmed-down version of Ethereum that leverages Proof of Authority (PoA). PoA was actually developed for an Ethereum testnet. Transactions are confirmed by specific, trustworthy validators. PoA reduces what makes Bitcoin and Ethereum so great, namely decentralization, to the minimum that (perhaps) just barely deserves the term.
PoA is used by the xDAI sidechain and the Binance Smart Chain (BNB), for example. It appears to be a highly centralized but reasonably secure and high volume consensus algorithm.
Sky Mavis managed to attract some well-known and trusted partners as validators for the Ronin sidechain, including the Binance exchange and the French game developer Ubisoft.
But that’s where the problems started, as I said – and the hack of around $660 million that took place at the end of March.
This is how the hack went
On March 23, it happened that the validators of Sky Mavis and the Axie DAO were compromised, after which 173,600 ether and 25.5 million dollar tokens (USDC) were stolen.
Stolen here means that the tokens were not simply stolen on the Ronin sidechain. They were transferred to the Ethereum blockchain via the bridge connecting Ethereum to the Ronin sidechain. Presumably fewer player accounts were hacked than the liquidity that such a bridge needs.
This happened in the following way : There are nine validators of the Ronin sidechain. Each validator can independently confirm transactions on the Ronin chain, but in order to deposit or withdraw tokens from it, i.e. to cross the bridge, five of the nine validators must confirm a transaction.
Four of the nine validators are owned by Sky Mavis. The hackers were able to gain access to these nodes through social engineering, giving them control over four out of the five necessary validators.
They got the fifth node because of a little carelessness of the developers. In November 2021, the Axie DAO allowed Sky Mavis to sign transactions instead of them because they were temporarily unable to cope with the onslaught of users.
This was suspended again in December because the Axie had upgraded the DAO. But the allowlist entry remained. Thus, after gaining access to Sky Mavis’ private keys, the hackers were also able to control the Axie DAO’s validator – and thus the fifth of the five necessary nodes.
What happened after the hack…
The hack, of course, had an aftermath. This follows a long-established script.
First, the bridge between Ronin and Ethereum was blocked. Transactions on the Ronin sidechain are safe, but assets initially remain locked on the Ronin sidechain. This would probably have been inevitable since the bridge was deprived of liquidity.
After that, Sky Mavis contacted the police, computer forensic scientists, security analysts, investors and stock exchanges. They tried to find out what happened and by whom, to raise funds to compensate the users who lost something and to convince the exchanges to blacklist the ether addresses where the loot landed.
All of this apparently succeeded: the developers know what caused the hack. To prevent it from repeating itself, they want to increase the number of validators to 21, which will involve adding new partners and community members. The bridge transaction threshold is immediately raised to eight out of nine validators.
The vast majority of exchanges have blacklisted addresses, making it difficult to sell or trade the ether and dollar tokens.
A round of investors led by Binance sponsored $150 million, which will allow Sky Mavis to compensate affected users and replenish the bridge between Ronin and Ethereum.
The Lazarus group from North Korea
Eventually the culprit was found : the Lazarus group from North Korea.
This goes back to the US Treasury Department blacklisting the addresses involved in the hack and linking them to Lazarus.
Lazarus is a notorious hacking group rumored to be part of the country’s intelligence agency. It is behind numerous major hacks in recent years, such as the WannaCry ransomware or the Sony hack.
Lazarus is one of North Korea’s few economic players, if not the only one, that is internationally competitive. Analyst Chainalysis states that hackers managed at least seven attacks on crypto platforms in 2021, extracting nearly $400 million in digital assets. Lazarus primarily targets investment firms and stock exchanges and pulls out all the stops of hacking: “phishing, code exploits, malware and social engineering.”
With $400 million, Lazarus accounted for about 2-3 percent of North Korea’s gross national product in 2021. With the Axie Infinity hack, the group has already trumped this share for 2022. However, the chances of ever liquidating these sums are extremely slim.