Front page layout
Site theme
Sign up or login to join the discussions!
Kyle Orland –
To understand the nature of that breach, let us take you on a crash course in the short history of Axie Infinity and the complex web of crypto standards and technologies that helped allow the exploit to happen.
To play Axie Infinity, players need to purchase at least three NFTs of playable in-game Axies on the open market (or borrow them from owners). Playing with those Axies then earns players some Smooth Love Potions (SLP), which can power up Axies or be sold to other players as a commodity, creating a «play to earn» loop.
Last year, there was enough hype and money sloshing through this system that some players in the Philippines were able to make a decent local wage simply by playing the game as their full-time job. But that early success helped attract more players who hoped to hop on to the play-to-earn train, which flooded the market with SLPs.
With few new buyers coming in to purchase all those SLPs, the value of the potions (in dollars) has cratered roughly 80 percent since early November and a whopping 95 percent from its peak last May, according to CoinGecko. As the SLP’s value has cratered, so, too, has the number of daily active Axie Infinity players and the number of new players buying fresh Axies.
(For much more on how the Axie economy functions, and how it falls apart without new players who want to buy SLPs, read through this lengthy report from consultancy Naavik.)
While Axie Infinity originally ran directly on the ethereum blockchain, the high transaction costs and slow transaction speeds on that network quickly became untenable as the game grew. To get around those fees, Sky Mavis in 2020 started to use a sidechain—a parallel private blockchain running on top of ethereum that could bypass the need to pay ethereum «gas» for each and every transaction.
Sky Mavis initially partnered with Loom Networks for this sidechain functionality. In March 2020, though, the company broke that partnership and introduced its own sidechain called Ronin.
Unlike the distributed proof-of-work ethereum blockchain, the Ronin sidechain operates on a much more centralized proof-of-authority system. Rather than consulting the entire distributed blockchain network to confirm transactions, this proof-of-authority system runs its transactions through a small set of trusted, handpicked «validator» nodes. Each node stakes some of its reputation on validating each transaction, theoretically punishing lone actors that try to game the system.
Centralized exchanges like Binance and decentralized exchanges like Katana allow users a «bridge» to transfer their in-game assets back and forth between Ronin and the main ethereum blockchain. But because those transfers can happen more occasionally and at scale, the transaction costs end up much lower.
Ronin’s proof-of-authority system, centralized in just nine validator nodes, is the key to its ability to provide a higher volume of transactions at a much lower cost than the sprawling ethereum network. It also ended up being Ronin’s weak point, in this case.
As Sky Mavis explains, the unknown attacker was able to breach Sky Mavis’ systems and gain full access to four validator nodes that the company controls. The attacker was then able to use a leftover backdoor in those nodes to gain control of another validator controlled by the decentralized Axie DAO.
With that fifth validator node, the attacker could then provide a majority of validation signatures on any transaction it wanted, leading to the fraudulent transfers.
You must login or create an account to comment.
Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox.
CNMN Collection
WIRED Media Group
© 2022 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy.
Your California Privacy Rights | Do Not Sell My Personal Information
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast.
Ad Choices
