:quality(70)/cloudfront-us-east-1.images.arcpublishing.com/bloomberglinea/6SS2DIJARBAERDQQLXBXKSM3IY.jpg "Photo illustration of the ethereum cryptocurrency 'altcoin.'")
Bloomberg — The company behind the popular Axie Infinity crypto game said it will reimburse online participants who lost funds after hackers stole about $600 million from a blockchain system underpinning the game.
“We are fully committed to reimbursing our players as soon as possible,” Aleksander Leonard Larsen, chief operating officer of the gaming studio Sky Mavis, said via text message. “We’re still working on a solution, that is an ongoing discussion.”
:quality(70)/cloudfront-us-east-1.images.arcpublishing.com/bloomberglinea/2BKXZ3NKBVETJLYH45NFK3KSN4.png "Money Stolen by Crypto Hack")
Hackers exploited a security weakness in a so-called bridge -- software that lets people convert tokens into ones that can be used on another network -- to drain it of 173,600 Ether and 25.5 million USDC tokens in two transactions. The breach happened on March 23, but was only discovered Tuesday, according to Ronin, the blockchain that supports Axie Infinity.
The funds swiped include the “deposits of players and speculators and the Axie Infinity Treasury revenue,” Larsen said. Of the Ether stolen, 56,000 belonged to the Axie Infinity treasury, he said. The company doesn’t suspect insider involvement in the heist, according to Larsen.
Axie Infinity is among the biggest of the so-called play-to-earn games, which allow participants to accumulate tradeable crypto coins. Daily active users swelled last year in developing countries hit hard by Covid, including the Philippines, Brazil and Venezuela. It continued to be played Wednesday.
The attack is the latest to show that bridges are often rife with problems. The computer code of many isn’t audited, allowing for hackers to exploit vulnerabilities. It’s often unclear who runs them and exactly how. Identities of validators, who are supposed to order transactions on bridges, are often shrouded in mystery. And yet there are thousands of bridges out there, and they move hundreds of million of dollars worth of crypto.
“From our experience, the chances of recovery are low,” said Rishav Rai, lead investigator for Merkle Science, a blockchain data analysis company. “When we look at the biggest crypto hacks and heists out there, it’s very rare that the funds get returned.”
AXS, a token used in Axie Infinity, fell as much as 11% after the hack was announced before recouping some losses. It was down about 5.8% on Wednesday, according to CoinMarketCap data. Ron, a token used on the Ronin blockchain, was down about 20%.
Sky Mavis has said it keeps all its revenue from Axie Infinity -- including fees for joining the game, breeding its nonfungible token creatures, and other in-game payments -- in its treasury, and only uses outside investor money to maintain its real-world team’s operations. It generated $1.3 billion in revenue in the 12 months through February.
“The easiest way to look at this is like the bridge is the bank for the Ronin Network,” Larsen said. “The heist that happened took out all the ETH and USDC. So the ETH/USDC on Ronin Network is not currently backed by anything. But we are looking at other options.”
A Massive Crypto Heist
In a previous story, Bloomberg’s Olga Kharif reported that:
computers known as nodes operated by Axie Infinity maker Sky Mavis and the Axie DAO that support a so-called bridge -- software that lets people convert tokens into ones that can be used on another network -- were attacked, with the hacker draining what’s known as the Ronin Bridge of 173,600 Ether and 25.5 million USDC tokens in two transactions. The breach happened on March 23, but was only discovered Tuesday, according to Ronin, the blockchain that supports Axie Infinity.
Kharif also reported:
The attack is the latest to show that bridges are often rife with problems. The computer code of many isn’t audited, allowing for hackers to exploit vulnerabilities. It’s often unclear who runs them and exactly how. Identities of validators, who are supposed to order transactions on bridges, are often shrouded in mystery. And yet there are thousands of bridges out there, and they move hundreds of million of dollars worth of crypto.
“The fact that nobody notices for six days screams aloud that some structure should be in place to watch illicit transfers,” said Wilfred Daye, head of Securitize Capital, the asset-management arm of Securitize Inc.
The Ronin heist underscores the security concerns that plague the wider market for decentralized-finance, or DeFi, protocols. Some $2.3 billion was stolen from DeFi platforms in 2021, a jump of 1,330% from the year before, according to a tweet from blockchain research firm Chainalysis on Wednesday.
The price of Ron, a token used on the Ronin blockchain, dropped about 22% after the hack was disclosed. AXS, a token used in Axie Infinity, fell as much as 11% before recouping some losses, according to CoinMarketCap.
