A popular blockchain game called Axie Infinity has suffered what could well be the biggest security breach in the history of decentralized finance.
Hackers forged withdrawals last week from the game’s Ronin Network, which lost approximately $615 million and said it was working with law enforcement to recover the funds and reimburse players, many of whom had to pay hundreds of dollars up front to play. It’s unclear how many were affected. It’s also postponing the launch of a similar play-to-earn game. The incident points to a mounting challenge for web3, the catchall term describing digital services built on blockchain technology. A growing list of breaches that stem in part from errors in writing web3 code is upending one of the great promises of blockchain — enhanced security — and holding back the technology’s progress toward mainstream acceptance.
Last August, hackers stole more than $600 million from a blockchain program called Poly Network. Then in February, around $320 million was stolen from a so-called bridge that allowed people to transfer crypto assets between two popular blockchain networks, Solana and Ethereum. In both cases, most, if not all, funds were restored to the original holders. But DeFi, or the passel of blockchain networks trying to serve as an alternative to traditional financial systems, has become an attractive target for hackers thanks to the billions of dollars locked up in various applications that are also largely run autonomously. (Money stolen in the latest hack had not moved from the wallet of the attackers at the time of writing.)
The amounts lost through hacks of DeFi projects more than doubled in 2021, according to cryptocurrency security firm CertiK. A timeline on security website CryptoSec.Info lists 83 reported breaches of DeFi services, with approximately $2.3 billion lost between January 2020 and February 2022.
For those still willing to invest in web3: Steel yourself for the hacks to keep coming. An investor in Sky Mavis, the developer of Axie Infinity, has said the latest hack should serve as a warning to venture capitalists about underlying security weaknesses in blockchain services, particularly with bridges.
One issue with Ronin was that it worked off-chain, acting as another layer on top of the Ethereum blockchain to conduct transactions more quickly and cheaply. The trade-off: a secondary layer isn’t as secure as the blockchain itself.
Ronin Network did not go into much detail in a blog post about the mechanics of the hack, but the attackers may have taken advantage of a rush to validate a large number of transactions at once, according to Dan Hughes, founder of British DeFi startup Radix. In other words, Ronin’s attackers may have been exploiting a weakness in the network’s processes rather than a stray bug, pointing to some of the broader difficulties of building blockchain-based apps.
Many developers who create apps for Ethereum use a programming language called Solidity, which is designed for smart contracts, a simple program on a blockchain. But building with Solidity is one of the most complex forms of programming. Coders have to plot out their steps carefully and don’t have multiple tries to get something right. Making a mistake doesn’t just cause a glitch as it might with a site or app on the traditional web. It can lead to a security vulnerability, and with financial services making up such a high number of web3 apps, that can risk large sums of money too.
“Sometimes something as simple as a typo can be exploited by savvy hackers,” Hughes said in a Twitter Spaces discussion last week with Bloomberg Opinion. He added on Wednesday that it looked unlikely that a coding mistake with smart contracts was behind the cause of Ronin Network’s security breach.
Even so, a recurring string of hacks should serve as a wake-up call for prospective investors, and for web3 companies themselves to invest more in securing their highly complex systems.
Hughes says there’s a prevailing “move fast and break things” culture in web3 development. That could become increasingly dangerous when badly designed algorithms cause financial ruin.
“The problem with hacks is if you build a secure system, there’s hundreds of thousands of ways you have to get it right,” Hughes adds, alluding to an issue that affects web 2.0 as much as web3. “You’ve got to get it right every time. A hacker only one has to get it right once.”