Crypto Crime: DeFi Hack Drains Record $625 Million
The PYMNTS series on crypto crime examines the capers that have not only been committed in the cryptocurrency industry, but have defined it – and bitcoin in particular – in the minds of many people.
In it, we’ll give you insight into the facts and myths, methods and tools, and how authorities and private titles are beginning to break down the mythical anonymity that many criminals – and honest people – believe absolutely protects their transactions. .
PYMNTS Crypto Crime Series:
The $612 Million Heist That Wasn’t
When privacy matters, crypto users turn to mixing services
The history of QuadrigaCX, the longest crypto-ponzi chain in Canada
Another day, another nine-digit crypto hack
With $1 Billion Hacked, Cross-Chain Crypto Payments May Be at Risk
Bitfinex uses $3.6 billion seized in hacking arrests to cover shadow bank losses
In India Hacking Case, Bitcoin Trail Leads to Hamas
Mt. Gox, the mother of all crypto heists
Before we get to “How do you lose $625 million,” let’s pause to ask, “How do you lose $625 million and not realize it for six days?”
In fact, we haven’t gotten a response for the second one yet, as Ronin Network, the cross-chain payment bridge that was exploited, only said that it “discovered the attack this morning after a report of ‘a user unable to withdraw 5k ETH’ – referring to ether, the #2 cryptocurrency.
The latest crypto hack was the biggest ever, a headline that doesn’t seem to last very long these days. It saw 173,600 ether, worth around $600 million, as well as 25.5 million USDC dollar-pegged stablecoins drained from the bridge protocol.
Ronin Network is a bridge protocol, a key part of many decentralized finance (DeFi), DApps and platforms that allows users to deposit cryptocurrency and withdraw an “encapsulated” version usable on another blockchain. This allows borrowers to transact without the hassle and cost of exchanging one crypto for another on an exchange.
Ronin serves Axie Infinity, the best blockchain-based MMO game. A play-to-earn game with an NFT economy, Axie Infinity users are by far the largest users and traders of non-fungible tokens: nearly 2.6 million players have bought and sold over $4 billion of NFT in 15.3 million transactions.
Ronin offers Axie players a very inexpensive way for players to obtain and return the Ethereum – which can incur high fees on exchanges – needed to play and transact in-game. This is key, as there is a large community of gamers – mostly in low-income countries – who make money and even a living by collecting valuable NFTS to sell to Axie’s more than eight million gamers.
The game studio behind Axie Infinity, Sky Mavis, has promised to reimburse players who have lost funds. It also works with various law enforcement agencies and blockchain intelligence firm Chainalysis to track criminals. Ronin Network has been suspended while the investigation continues.
In August, the Poly Network bridge serving 15 blockchains lost $612 million to a hacker who spotted a loophole in its smart contracts, letting it empty its coffers — before, miraculously, returning it all over the next few months. weeks.
See also: PYMNTS Crypto Crime Series: The $612 Million Heist That Wasn’t
Then last month, on February 2, the Ethereum-Solana Wormhole Bridge was hit by another code exploit in which $326 million was drained. And although it was not returned, the project’s developers and backers made up for the losses.
Read more: Another Day, Another Nine-Figure Crypto Hack
“If a deck has the ability to hit tokens, it’s like taking control of hitting machines,” Yat Siu, co-founder of Animoca Brands, an investor in Sky Mavis, told Bloomberg in a pre-hack interview. “Bridges are authoritative at this point, and if they’re poorly designed or have vulnerabilities, they become a huge risk to the ecosystem.”
This brings us to a third question: after three thefts totaling $1.5 billion since August, why would you entrust your crypto to a bridge protocol?
Judging by the autopsy by Ronin Network, this exploit showed not only the inherent danger of bridging protocols, but the problem of broader DeFi consensus and proof-of-stake (PoS) mechanisms used to replace hard-to-scale proof-of-work and environmentally devastating (PoW) consensus mining mechanism used to secure and add transaction information to bitcoin-style blockchains.
According to the recent Crypto Crime Report 2022 from Chainalysis, $3.2 billion worth of crypto was stolen from individuals and projects last year. $2.3 billion of that came from DeFi.
You might like: PYMNTS Crypto Basics Series: What is a consensus mechanism and why is it destroying the planet?
Like other PoS projects, Ronin Networks uses validators that place stakes that amount to good behavior bonds, which are automatically “reduced” by bad behavior fines. This leaves two problems.
First, if the stake is high enough, it is worth losing those stakes, which are usually not too high, relative to the value of the crypto involved. That doesn’t seem to be the issue in this case.
The second issue, which came back to the Ronin network, is that it only had nine validator nodes securing the network, with approval from five needed to move funds. Four nodes operated by Ronin Network and another by Axie Infinity had their passwords hacked, Ronin said. He added three more validator nodes as an initial precaution.
“The theft occurred following a hack of the Ronin Bridge ‘validator nodes’,” said Elliptic, the leading blockchain intelligence firm. Explain. “Funds can be transferred there if five out of nine validators approve it. The attacker managed to get hold of the private cryptographic keys belonging to five of the validators, which was enough to steal the crypto-assets.
At the time of its Tuesday, March 29 blog post, Elliptic said approximately $41.5 million had been laundered through centralized and decentralized exchanges, or DEXs. USD coins were sold to multiple DEXs almost immediately, as many stablecoin issuers can freeze their tokens. Then $16 million worth of Ethereum was sold through centralized exchanges.
A number of important exchanges, including Binance and Houbi, have pledged to help track and recover stolen funds with their own security teams. Binance said it has halted deposits and withdrawals of Ronin Network’s RON token, as well as suspending withdrawals of wrapped ether – wETH – and conversions from wETH to much more tradeable ETH. Many inter-chain bridges use wrapped ether.