This time last year, Axie Infinity (AXS-USD) took the world by storm with its Pokémon-style NFT game where players earn crypto…and which ultimately attracted 3 million daily users. Now, Axie is making world news again – after hackers made off with millions of USD Coin (USDC-USD) stablecoins and Wrapped Ethereum (WETH-USD) from Axie’s Ronin (RON-USD) blockchain.
Worth $625 million at the time Ronin was hacked, this would make it the largest crypto hack ever. Here are some urgent lessons for investors – whether you own Axie cryptos or not!
Bridges in Crypto Are Often Shockingly Vulnerable
Before now, the title “worst crypto hack ever” definitely went to the Poly Network hack last August. That decentralized finance (DeFi) platform was taken for roughly $600 million (before the hacker returned much of it!)
Also high in these dubious rankings is February’s Wormhole hack, in which over $320 million was taken – once again in Wrapped ETH.
Why? Because the Axie, Wormhole, and Poly Network hacks all involve bridges, which let you trade crypto between blockchains by “wrapping” it on the second blockchain.
With the Wormhole bridge, the hacker was able to fake transactions between Solana (SOL-USD) and Ethereum (ETH-USD) and make off with real ETH. With Axie, the hacker exploited the Ronin network’s bridge to Ethereum.
I’ve written before that bridges are frequently the weak link in the New Digital World. It’s like spending all your time fortifying your bank vault – but then using a golf cart to move that money, versus an armored car. Don’t be surprised if it gets stolen!
I borrowed that golf-cart analogy from crypto investor Corby Pryor, who says he’s investing in better bridges like Flare Network (FLR-USD). You can read all about Flare here as it prepares to launch on July 4. In the meantime, there’s Cosmos (ATOM-USD), the decentralized “internet of blockchains,” which Luke Lango recommends for our Crypto Investor Network as a solid interoperability play.
Here it’s worth noting: “It looks like the Ronin hack was quite different than previous bridge hacks,” as Kelvin Fichter of Optimism (which operates its own bridge to Ethereum) describes in this Twitter thread:
It looks like the Ronin hack was quite different from previous bridge hacks. The Ronin bridge is a 5-of-9 validator bridge, meaning the funds are secured by a set of 9 secret keys, any 5 of which can be used to move money around.
— smartcontracts (✨🔴_🔴✨) (@kelvinfichter) March 29, 2022
Axie Infinity’s problem was that there are only nine validators operating its Ronin bridge. Nine! And “the hacker managed to get hold of the private cryptographic keys belonging to five of the validators – so that was enough to steal the crypto assets,” as Tom Robinson, co-founder of the blockchain analysis firm Elliptic, further explained in Bloomberg.
All of the compromised validators were controlled in some fashion by Axie’s developer, Sky Mavis. No wonder the Ronin Network Twitter announced Thursday that they “are pushing our plan to add new validators to Ronin in the coming months,” and have “replaced all of the former Sky Mavis validators.”
While Axie Infinity does have a plan for progressive decentralization, it might need to pick up the pace!
Decentralization is more often talked about in the New Digital World for philosophical reasons. Why trust Wall Street, Mark Zuckerberg, etc. to have my best interests at heart… when I can turn to a trustless blockchain, and take control of my money and online identity?
Leadership Matters, Too, Though
As far as I can tell, Axie Infinity has never been hacked either, until this Ronin bridge exploit. (Anytime crypto is involved, though, it’s likely you could be targeted by a phishing scam, trying to trick you into signing over your stash.)
Tons of blood, sweat and tears goes to build a project like Axie Infinity in its five-year history. Yet when it comes to the bridges: “The computer code of many isn’t audited, allowing for hackers to exploit vulnerabilities. It’s often unclear who runs them and exactly how. Identities of validators, who are supposed to order transactions on bridges, are often shrouded in mystery,” according to Bloomberg.
And while Axie’s leadership team, Sky Mavis, has been focused on rewarding its community with a deeper game, better animation, and the RON crypto… It let this $625 million hack slip through for nearly a week before being uncovered. That sets off alarm bells for crypto watchers like CoinDesk columnist David Z. Morris:
The Ronin hack nobody noticed for six days has some very interesting implications for certain other crypto systems where there's a lack of transparency …
— The Lambo Renter (@davidzmorris) March 30, 2022
A Strong Community Can Ride Out The Storm
What Axie does have going for it is a core group of passionate founders who can assess the situation and make a plan to reimburse the victims. They’re also postponing their Axie Origin launch by a week to “give the engineering and security team an additional window of time to deeply investigate all implications of the breach.
So… How do you get the best of both worlds: decentralization and leadership?
By carefully constructing a decentralized autonomous organization (DAO) that’s empowered to run the show.
“Empowered” is the key word there. Sky Mavis already has an Axie DAO, in which AXS holders have some voting powers. But full governance is something that would be turned over to Axie DAO further down the road: “by October 2023.”
Axie took a step backward in November, “when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allow-listed Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allow-list access was not revoked,” VentureBeat reports.
Once again, I’d expect Sky Mavis to jump forward and hand more of the reins to Axie DAO. When power rests with a DAO, the community can act to overcome even the shortcomings of its leaders, as Ethereum Name Service (ENS-USD) did in February.
In the meantime… It’s very impressive that AXS crypto is down barely 10% on the news. RON, which is directly tied to the Ronin blockchain exploited in the hack, is down more like 20%. But AXS is a governance token for a game with 3 million active players! The price action suggests that the Axie community is standing strong.
If ambitious young communities like Axie Infinity can step up their leadership, support users, add value, and recover funds from security breaches, they can very well survive and thrive this wild New Digital World.
On the date of publication, Ashley Cassell did not have (either directly or indirectly) any positions in the securities mentioned in this article. The opinions expressed in this article are those of the writer, subject to the InvestorPlace.com Publishing Guidelines. To have more news from The New Digital World sent to your inbox, click here to sign up for the newsletter.