The $600M Axie Hack

How trading security for speed led to the biggest sidechain hack in history
Bankless Bankless Apr 2, 20222 min read
The $600M Axie Hack

Dear Bankless Nation,

It happened again.

Darryl does not approve of your weak security

In February we wrote about Solana’s Wormhole Bridge, which was compromised for $300M. This month, news broke around Axie Infinity’s Ronin sidechain.

$6 hundred million dollars.

That’s the cumulative amount hackers stole between ETH and USDC, making it the largest hack on the Rekt leaderboards.

William wrote a fantastic summary of events, but in short:

  • Ronin is Sky Mavis’ centralized custodial sidechain. When Axie Infinity went viral last July, Ronin helped scale transactions from the congested Ethereum network.
  • Ronin operates using a “Proof of Authority” consensus mechanism, meaning validator pools are very small. At the time of the hack, Ronin only had 9 validators and required 5 act honestly (think multi-sigs).
  • Ronin’s exploit wasn’t a technical smart contract vulnerability—it was a much simpler theft of validator private keys.

Details are still forthcoming on how the attacker accessed all 5 private key signatures, but it’s apparent that Sky Mavis did not have adequate security best practices in place to protect private key files.

But there’s a bigger lesson to learn here…

1. Assets on side chains are more risky

The security tradeoffs that come with processing transactions off a base chain like Ethereum aren’t anything new for those paying attention.

When you push your assets onto a sidechain, you are moving away from the trustless, decentralized form of security consensus on the underlying base Layer-1 chain.

Subsequently, you’re increasing trusted reliance on the reputation and security expertise of sidechains.

In short, you trade off security for costs and speed.

2. Scaling is the name of the game

As DeFi grows, the need to scale against user demand is exploding. Just this week, Binance announced plans to launch application-specific sidechains to reduce base network congestion for its blockchain games on its BNB Chain.

Considering the BNB chain has a grand total of 41 *approved* validators, that’s like streamlining the efficiency of national governments by setting up an intergovernmental body as an overseer.

It’s hypercentralization on roids.

In contrast, developers in the Ethereum ecosystem have opted to scale transactions via Layer-2 roll-ups instead.

Roll-ups allow faster transaction processing by compressing the data footprint on the base chain. Unlike sidechains, however, the security of roll-ups still depends on Ethereum's base chain, so users aren’t required to trust a separate set of validators.

3. We can’t forget decentralization as we scale

To accommodate user growth, everyone wants to scale fast, but not everyone is scaling securely.  Ronin’s hack this week gives us a clear objective: find a way to scale without sacrificing decentralization and security.

Newer entrants to the crypto space care less about decentralization. They want fast and cheap transactions. But doing so at the cost of decentralization is a short-term game.

People complain about the slow pace of the Ethereum roadmap, but the truth is decentralization takes time. But decentralization is the long-term game.

We expect Sky Mavis and Axie to learn these lessons and come back stronger than ever. Maybe with a path to a fully decentralized rollup.

Here’s what’s lined up for next week:

  1. Podcast episode with Packy Mccormick, the mind behind Not Boring
  2. How to get risk-free levered long on Ethereum 👀
  3. Guide to getting price exposure to the Merge

Stay 🔐

- Bankless Team


Written by Bankless

197 Articles View all      

No Responses