Author | Snow is stubborn
Edit | Jingyu
"Oh my God, is my money gone?!"
When Logan Evans, a 24-year-old American boy, learned that the game he was playing, Axie Infinity, was caught up in a hacking case, his first reaction was "fear of losing everything."
Axie Infinity is a world-renowned NFT game, a typical GameFi (Game Finance) product. According to Axie's website, the game has reached $3.6 billion in market transactions and attracts about 2 million users worldwide every day. The theft cost about $625 million and is currently the largest hack in the DeFi (decentralized finance) space.
Hackers have set their sights on the "fat meat" of cryptocurrencies. According to a data report released by Chainalysis, hackers stole $3.2 billion worth of cryptocurrencies in 2021. In the first three months of 2022, hackers stole $1.3 billion from exchanges, platforms, and individuals, 97 percent of which came from DeFi protocols.
The crypto world faces an unprecedented crisis of trust and security is being challenged. Blockchain security deserves people's attention, if security and trust are not guaranteed, the blockchain ecology will be reduced to empty talk.
In the blockchain world, new concepts and technologies are constantly emerging, but security issues are always the foundation for building new ecosystems.
Hackers target "cross-chain bridges"
In addition to the fear of losing money, what makes players like Evans even more dissatisfied is that the game company reacted only on the 6th day after being attacked, or through user reminders. Players feel that the company's negligence is the worst thing in the whole thing.
In fact, the target of this hack is not the Axie game itself, but the cross-chain bridge Ronin Bridge derived from it.
It is not unjust for the game project to be criticized. Originally, each cryptocurrency ran on its own separate blockchain, and there was no simple way to interact with each other. For example, you can freely trade Ether on Ethereum and at different addresses, but there is no way to send Ether directly to other chains.
Axie Infinity Game Page. | Source: NBC News
The hacked Ronin Bridge is exactly the cross-chain bridge that the game company created for the Axie ecosystem, which facilitates players to send and exchange game tokens between different blockchains, bypassing the expensive transaction fees on Ethereum.
With Ronin Bridge, the otherwise unattainable cross-chain transfer of funds becomes "silky".
In the multi-chain world, cross-chain bridges are important infrastructure, just like the Internet and road traffic in the real world. Cross-chain bridges can connect different blockchain systems, allowing users to transfer and exchange tokens between different chains.
In simple terms, cross-chain bridges can transfer assets from one blockchain to another, opening up operations between different blockchain systems.
On the cross-chain bridge, the exchange of funds is a very common thing. Axie game company is likely to mistake the hacker's operation for the user's normal deposit and withdrawal behavior, coupled with the lack of a complete contract balance monitoring system, there is no first time to detect the attack.
Shrewd in business, stepping on the pit of technical safety.
Where did the stolen "money" go?
Evans was lucky that he didn't lose real money as a result of the hack – he held the same amount of in-game currency as before, except that he couldn't withdraw money from the game for the time being.
But not all players are as lucky as he is. After hacking Ronin Bridge, it stole 173,600 ETH and 25.5 million USDCs, worth $625 million. Where did all this stolen "money" go?
Every few days, the attackers would take a portion of the money out of their wallets and transfer it to tornado Cash, a tool that could be thought of as "laundering money."
As of May 4, Beijing time, almost all of the stolen funds were transferred, and only 1.8 ETH were left in the original attack wallet.
CertiK leverages SkyTrace to generate a graph of the flow of the latest stolen funds. | Source: Twitter Account @CertiKAlert
Next, the attackers are likely to use other wallet addresses to withdraw money from Tornado Cash, completing a closed loop from theft to "money laundering".
Here's how Tornado Cash works: Tornado Cash is like a pool of money, where everyone can put their money into the pool and then withdraw money from the pool using another wallet address. The system will provide a password to withdraw money, and any wallet address can use this password to withdraw money.
It is important to note that the wallet address where the money is withdrawn is anonymous, and the wallet where the money is deposited is often able to find the source.
With the continuous maturity of on-chain analysis technology, and the identity verification of some capital changes that need to be filed with the exchange, it is possible to judge who the owner behind the wallet is to a certain extent through on-chain behavior. Tornado Cash, as a legitimate tool, is intended to provide users with the function of protecting privacy.
Due to the huge amount of funds and the complexity of the "money laundering" process, it is not a simple task for hackers to "wash" them all.
So, is it possible that the lost money will be recovered?
If the amount of money stolen is only in the millions, the probability of recovery is extremely low. In the Ronin Bridge incident, after the attacker deposited more than $600 million into the pool, the possible result was that a lot of the money in the pool belonged to him. In this case, once a large withdrawal operation occurs, it is possible to determine whether the withdrawal address behind it points to the attacker.
All in all, the more money is hacked, the more difficult it is for hackers to "wash" it in a short period of time, and the more likely it is to recover it. But it is difficult to say exactly how much money can be recovered.
Why is it that the "injured" always cross the chain bridge?
The reason ronin Bridge was attacked was that the verification node was lost. There are 9 verification nodes on the Ronin Bridge, each with a corresponding signature and private key. If the user wants to deposit and withdraw successfully, he or she needs to provide at least 5 signatures from 9 verification nodes.
The attacker successfully hacked into 4 validators and a third-party validator of ronin Bridge, obtained 5 legitimate signatures, and took down the funds on the cross-chain bridge.
It comes down to a vulnerability in the management of private keys by game companies. In addition, the studio wanted to use multiple keys to authorize operations and improve the security of transactions, but did not revoke the access to the early list of game projects in time, providing hackers with an opportunity.
This is not the first time hackers have attacked a cross-chain bridge.
Half a year ago, the cross-chain bridge called Poly was hacked, losing about $600 million. At the beginning of this year, there were 3 similar "bridge bombing cases" in 10 days, which aroused people's vigilance - "bridges" have become a weak link in blockchain security.
Even Ethereum co-founder V Shen has publicly expressed his support for "multi-chain" rather than "cross-chain", opposing the use of cross-chain solutions between Ethereum and other blockchains, believing that cross-chain bridges will increase security risks in the process of asset transfer.
God believes that there are basic safety limitations on cross-chain bridges. | Source: Twitter account @VitalikButerin Screenshot
Cross-chain bridges have become the soft underbelly of blockchain security, and they need to start from two concepts: on-chain transactions and cross-chain transactions.
CertiK engineer Yang Yuannan introduced that these are two completely different types of transactions. On-chain transactions rely on the consensus mechanism of blockchain algorithms – security has been proven in theory and practice. If the blockchain is regarded as a system, individual on-chain transactions are just updated data within the system to reach consensus.
This is not the case with cross-chain transactions. A "span" word breaks down the barriers between blockchains, which also means that the different systems at both ends of the "bridge" need to be updated and consistent to a certain extent, and the two systems may be very different. Since the design of each chain can only guarantee on-chain transactions, cross-chain transactions need to rely on many additional mechanisms, such as listening, processing and sending on-chain information, which is far more complex and difficult than on-chain transactions.
For example, transferring money at the same bank is convenient and easy to operate, but if you want to transfer money to other banks, or even offshore banks, it is not only complicated, but also has a handling fee.
The role of the cross-chain bridge in this middle is to ensure the correctness and consistency of capital changes between two different systems.
For example, to transfer 10 ETH on Ethereum to Binance Chain, the process of cross-chain transactions roughly includes:
After the Ethereum-side bridge contract receives 10 ETH, a transfer message is issued;
Cross-chain network monitoring to hear this news;
The cross-chain network calls the bridge contract at the end of the Binance chain and provides 10 ETH equivalent coins to the user.
The whole process involves three interconnected but relatively independent individuals: a bridge contract on Ethereum, a bridge contract on a cross-chain network, and a bridge contract on a Binance chain. They are located on different platforms, and they only use messaging mechanisms to ensure the transmission of data between chains.
The cross-chain project itself is a complex system, and the core here is the messaging mechanism. Once this mechanism is flawed, it can become the key for hackers to forge cross-chain messages to launch attacks.
Cross-chain operations are difficult to verify security, and because the server responsible for listening for messages is not in any blockchain system, it can only restore the operation instructions by listening for messages and preset message formats. As a result, the accuracy of the restore depends on the correctness of the process of publishing messages, listening, and decoding, which is difficult to verify.
In addition, the code complexity of different cross-chain projects is higher, the differences are larger, and the potential security problems are more diverse. Assets involved in cross-chain networks are more volatile and easier to lose than assets stored on a single chain.
The reason why the cross-chain bridge is complex is because the two sides of the cross-chain are completely different systems, and the cross-chain network as an intermediate third party has potential risks in its message processing capabilities and the security of message verification and issuance.
Although the "bridge" increases the security risk in the process of asset transfer, cross-chain projects still emerge in large quantities, and the funds active on the "bridge" are like a cake in the standing plate, delicious and easy to obtain, attracting hackers to come and go.
The hacking of Ronin Bridge taught the project parties another lesson: to avoid hacking, the most important thing is to ensure the security of the private key. In terms of specific execution, you can use a hardware wallet with higher security; ensure the decentralization of multiple private keys; and revoke the permissions of an obsolete node in time.
The cloak of Web 3, the soul of Web 2?
In the "decentralized" blockchain and Web 3 world of the imagination, security is one of the innate features. Unexpectedly, it was not a problem.
This is the result of a multi-factor game, and it is also an economic account. In terms of design, the cross-chain bridge can be decentralized or centralized, but the design cost and operating cost of decentralization are higher than that of centralization because it is more complex.
As mentioned earlier, transferring assets on a decentralized bridge requires the signatures of multiple nodes, relying on complex design and resource investment. If it is replaced by a centralized bridge, the design and management of the project party are more convenient and the cost is lower. Some cross-chain projects have adopted a centralized information processing method for the sake of system efficiency and convenience.
There is a view that the centralized bridge deviates from the spirit of Web 3, and behind it is still the old logic of Web 2.
However, in Wang Peiyu's view, the current existence of cross-chain bridges is still closer to Web 3, which is a typical Web 3 product. Because the function of the cross-chain bridge is to transfer money from one blockchain to another, which is implemented on the bridge. Almost all bridge implementations contain the logic of smart contracts, which are code that exists on the blockchain.
The boundaries between centralization and decentralization are not clearly demarcated, and there is a "risk of centralization" in the world of Web 3.
Hacking incidents occur frequently, one reason is that smart contracts are written with security holes, and the other reason is that DeFi projects are designed with logic flaws, such as not taking into account the impact that adding fees may have on transaction logic.
For DeFi, the "centralization risk" usually stems from the existence of privileged accounts in a project. Privileged accounts can change the configuration of smart contracts at will, and even use the funds of other ordinary users, there is a risk of transferring funds.
When a privileged account makes a mistake while updating the configuration, it can also cause losses to other users.
Privileged accounts have too much power at their disposal and may also provide hackers with a free-entry pass. Once a hacker captures the private key of a privileged account, it is possible to steal project funds through this account and harm the rights and interests of others.
The birth of cross-chain technology and projects has broken through the barriers between different blockchains in the crypto world, which can improve the economic liquidity of virtual currencies. The GameFi products represented by Axie enrich the application scenarios of the blockchain, make the technology more accessible to the people, and reduce the threshold for participation in Web 3.
But it is worth vigilance that there is no static beauty. Just like the real world, where there are interests, there are often hidden crises, and the greater the interests, the more complex the crisis.
The hacking of Ronin Bridge did give Kryptonian players like Evans a wake-up call, but he wasn't going to give up the game. "I still believe in Axie, and I love everything in this community."
Resources:
https://www.nbcnews.com/tech/crypto/axie-infinity-hack-leaves-players-shaken-still-loyal-rcna23379
https://www.theverge.com/23017107/crypto-billion-dollar-bridge-hack-decentralized-finance
https://blog.chainalysis.com/reports/2022-defi-hacks/
![PayPal CEO's crypto quote: Cryptocurrencies will redefine the financial world[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)