The $540 million cryptocurrency heist revealed last week marks the latest in a string of eye-popping hacks to hit a technology seen as the linchpin for building a more decentralized internet.
The hackers transferred funds using the Ronin network, software that allows users of the online game “Axi Infinity” to transfer digital assets across various blockchains. The increasing amount of exchange on such bridges has turned them into targets.
Developers are rushing to build these bridges to decentralized systems — known as “Web 3” catchalls — that can host increasingly complex applications such as games or lending services. But the expansion has come with increasing security risks as users flock to the blockchain and investors. Pump money into the companies behind them.
“The amount of value being locked in these bridges is skyrocketing,” said Arjun Bhupatani, founder of Connext Inc., which develops tools that help transfer information between blockchains. “Until we figure out a better mechanism, the hacks will get bigger and bigger. [for protection],
Decentralized financial systems lost at least $10.5 billion in 2021 due to crime, according to blockchain analytics firm Elliptic Inc., an estimate that includes stolen funds and price drops in crypto offered by the hacked system. .
Last August, attackers stole more than $600 million worth of cryptocurrency from the Poly Network before returning the funds. In February, hackers stole about $320 million worth of digital assets from Wormhole, pushing the trading firm behind the bridge to reimburse users.
While previously crypto projects resided on individual blockchains such as Ethereum, in recent years developers have sought to expand to different chains to allow users to transfer assets in faster and cheaper transactions.
According to blockchain experts, the change has ignited a debate within the blockchain industry over the trade-off between security and usability, but money and energy are still moving toward cross-chain projects, keeping pace on security tools. Putting pressure on.
“Everyone is just busy making money,” said Dima Budorin, chief executive officer of Hacken, a Web3-focused cyber firm.
Some bridges check that data or funds can move from one chain to another via a digital signature required to approve transactions. Ronin, the developer behind Sky Mavis, requires five such verification keys across the nine-node network before users can transfer money earned by playing Axie Infinity. The game, which is popular in a handful of countries including the Philippines, allows users to earn crypto by creating and battling digital creatures.
Sky Mavis did not respond to requests for comment, but said in a blog post that hackers obtained the five keys needed to access Axi Infinity’s bridge through a social engineering hack. Sky Mavis said hackers stole user funds on March 23, and the company discovered the robbery on March 29 when no user could withdraw funds.
Sky Mavis said it is “committed to ensuring that all drained funds are recovered or reimbursed.” The stolen crypto, which hackers have begun transferring to a so-called mixing service that could be used to help launder illicit money, is now worth $600 million, according to blockchain-monitoring platform, Etherscan. more than the price.
Sky Mavis is also increasing the number of keys required for transactions to eight and expanding Ronin’s total number of such validators to further decentralize the system.
“The root cause of our attack was the small validator set which made it very easy to compromise the network,” the company said.
Targeting such keys is an unusual type of cyber attack against bridges, which trade as certificates, said Ronghui Gu, founder of blockchain security firm Certified Kernel Tech LLC. More often, he said, hackers target smart contracts, pieces of software that play a role similar to those of banks and lawyers, by assessing and verifying potential transactions.
Hackers can exploit software to find bugs or essentially spoof contracts to allow transactions, said Dr. Gu, assistant professor of computer science at Columbia University. He compared the digital process to counterfeiting a bank-guaranteed cashier’s check.
“Once a hacker has found a certified check, they can use it to withdraw money from an account,” Dr. Gu said.
download
The app will get 14 days of unlimited access to Mint Premium absolutely free!