Another day. Another crypto hack. This one involves non-fungible tokens, which exploded in popularity last year. And it has brought free publicity to the NFT developer.
One hundred and seventy-three thousand and six hundred thousand Wrapped Ether (a derivative of Ethereum’s native cryptocurrency) and 25.5 million of stablecoin USDC were stolen after validator nodes (nodes responsible for validating blocks of transactions occurring in a blockchain) on the Ronin network were hacked on March 23. According to various estimates, the hacker made off with $620 million worth of cryptocurrency.
Ronin is a sidechain – another blockchain – that runs off Ethereum and hosts Axie Infinity, a play-to-earn game in which users play and compete against each other with Axie, an online pet whose value can increase and decrease depending on the user’s skill. Sky Mavis, the game’s publisher told the Wall Street Journal, that game had approximately 1.7 million daily users in February.
A Growing List of Hacks
The hack is the latest in a long list of thefts that have plagued the crypto ecosystem and highlight its security vulnerabilities. As cryptocurrencies have exploded in popularity, criminal elements have found a ready and willing target for their efforts in their blockchains. According to Crystal Blockchain, there have been 226 hacks in the crypto ecosystem resulting in the theft of $12.1 billion worth of tokens. Last year alone saw the theft of $4.25 billion worth of crypto tokens.
Aleksander Larsen, CEO of Sky Mavis, told the Journal that “social engineering” was responsible for the hack. According to a post put up by the firm on publishing platform Substack, the decentralized nature of its validator node setup (meaning each node functioned independent of the other) should have ensured that the hacker did not get access to transaction keys.
However, the firm claims that the hacker found a backdoor entry by gaining hacking into the publishing firm Sky Mavis’s systems which had been granted access to the validator nodes in November 2021 because it was unable to handle a surge in the number of users on its platform. The startup claims to have already identified the hacker’s wallet and is working with crypto forensics firm Chainalysis to track movement of the stolen funds.
Will Investors Get Their Funds Back?
In the absence of a clear regulatory framework for cryptocurrencies, the current spate of hacks also shines a spotlight on their governance. Investors in mainstream finance vehicles have recourse to legal remedy; they may be left in the lurch in the crypto ecosystem. Cryptocurrency blockchains are governed by Decentralized Autonomous Organizations (DAOs), a form of collective in which important decisions relating to the blockchain and its future are determined through programmatic voting and tallying.
Previous hacks have resulted in forks of the original blockchain. In one of the more prominent cases last year, investors in tokens for Solana – a competitor to Ethereum – were reimbursed after a crypto venture capital stepped in with $320 million. The Axie Infinity DAO has been mum on a future course of action. However, Zirlin told attendees at a conference that there’s a chance that they [the hackers] can be identified and brought to justice.”
While Axie Infinity co-founder Jeff Zirlin declared the hack to be “one of the bigger [hacks] in [crypto’s] history”, crypto investors shrugged off the news. The price of ether and USDC has barely changed. As of this writing, ether was changing hands at $3415.92, unchanged from its price 24 hours ago and USDC held steady to its fiat currency peg with a price of $0.999.
The hack occurred on March 23, when the price of Smooth Love Potion (SLP) – the reward token in Axie Infinity – was priced at $0.02329. A day after the hack it rose to $0.02337. Much like the rest of the crypto market, it has remained volatile since. As of this writing, it is trading at $0.02043, the same price as it was trading at in the last 24 hours. The market’s tepid reaction to the hack has led Reddit users to opine that the hack is “free publicity” for the game. They might be correct. Sites have posted introductions to the game after reporting news of the hack. It is unclear whether the publicity is free or part of a paid promotion.