A $540 million cryptocurrency heist revealed last week marked the latest in a string of eye-popping hacks hitting a technology seen as a linchpin to building a more decentralized internet.
Hackers moved the funds by exploiting the Ronin Network, software that allows users of the online game “Axie Infinity” to transfer digital assets across different blockchains. Growing sums of money exchanged over such bridges has turned them into targets.
Developers are rushing to create these bridges to build out decentralized systems—known by the “Web3″ catchall—that can host increasingly complex applications such as games or lending services. But the expansion has come with growing security risks as users flock to blockchains and investors pump money into the companies behind them.
“The amount of value being locked in these bridges is skyrocketing,” said Arjun Bhuptani, founder of Connext Inc., which develops tools that help transfer information between blockchains. “Hacks will get bigger and bigger until we figure out better mechanisms [for protection].”
Decentralized financial systems incurred at least $10.5 billion in losses in 2021 due to crime, according to blockchain analytics firm Elliptic Inc., an estimate including stolen funds and price drops in crypto offered by systems that were hacked.
Attackers last August stole more than $600 million worth of crypto from Poly Network before returning the funds. In February, hackers pilfered digital assets worth about $320 million from Wormhole, pushing the trading firm behind the bridge to reimburse users.
While earlier crypto projects lived on individual blockchains such as Ethereum, developers in recent years have sought to expand across different chains to allow users to move assets in faster and cheaper transactions.
The shift has ignited a debate within the blockchain industry over trade-offs between security and utility, but money and energy is nevertheless veering toward cross-chain projects, putting pressure on security tools to keep pace, according to blockchain experts.
“Everybody is just busy making money,” said Dyma Budorin, chief executive of Web3-focused cyber firm Hacken.
Some bridges check that data or funds from one chain can move to another through digital signatures needed to approve transactions. The developer behind Ronin, Sky Mavis, required five such validation keys across a nine-node network before users could transfer funds earned playing Axie Infinity. The game, which is popular in a handful of countries including the Philippines, allows users to earn crypto by creating and battling digital creatures.
Sky Mavis didn’t respond to requests for comment, but in a blog post it said hackers obtained the five keys needed to access the bridge underpinning Axie Infinity through a social engineering hack. The hackers then stole users’ funds on March 23, Sky Mavis said, and the company discovered the heist on March 29 after a user was unable to withdraw funds.
Sky Mavis said it is “committed to ensuring that all of the drained funds are recovered or reimbursed.” The stolen crypto, which hackers have begun to transfer to a so-called mixing service that can be used to help launder illicit funds, is now worth more than $600 million, according to Etherscan, a blockchain-monitoring platform.
Sky Mavis also is increasing the number of keys needed for transactions to eight and expanding Ronin’s overall number of such validators to further decentralize the system.
“The root cause of our attack was the small validator set which made it much easier to compromise the network,” the company added.
Targeting such keys is an unusual type of cyberattack against bridges, said Ronghui Gu, founder of the blockchain security firm Certified Kernel Tech LLC, which does business as CertiK. More often, he said, hackers target smart contracts, pieces of software that play a role similar to banks and lawyers by assessing and validating potential transactions.
Hackers can exploit the software by finding bugs or essentially tricking contracts into allowing a transaction, said Dr. Gu, who is also an assistant professor of computer science at Columbia University. He compared the digital process to forging a cashier’s check guaranteed by a bank.
“Once the hacker gets a certified check they can use it to withdraw money from an account,” Dr. Gu said.