A notorious North Korean hacker group stole roughly $625 million worth of ETH and USDC on March 23, 2022, sending the Axie Infinity ecosystem into chaos. While the parent company, Sky Mavis, closed the security loopholes, players are still waiting to see if they’ll be made whole and fascinating details continue to emerge surrounding the hack.
Let’s look at how Axie Infinity works, how its mechanics led to a fatal flaw, and how the organization responded to losing $625 million.
North Korean hackers stole roughly $625M worth of ETH and USDC from the Axie Infinity ecosystem—here’s what happened behind the scenes and what players can expect next.
What is Axie Infinity?
Sky Mavis’ Axie Infinity is a popular blockchain-based play-to-earn game. Each player starts by acquiring at least three “Axies” (NFTs) with different traits and strengths. Then, players can use their Axies to battle others in Pokemon-style competitions to earn “smooth love potions,” or SLPs, that they can use for breeding (and selling) Axies.
Last year, Sky Mavis launched an Ethereum sidechain known as the Ronin Network to improve transaction speeds and eliminate gas fees. The network uses a proof-of-authority consensus mechanism with a handful of “trusted entities” validating individual transactions and merging them back into the Ethereum blockchain in large blocks.
This year, the company also launched the RON governance token, enabling users to pay for transactions on the Ronin Network and leverage decentralized finance (DeFi) features, like governance and potential staking through validators to earn rewards. After its launch in January, the token traded at around $3.75.
How Hackers Stole $625M
Most Axie Infinity players use the Ronin bridge to convert SLP, AXS, and RON into Ethereum or fiat currency. You can think of a bridge as a casino where you deposit cash, gamble with chips, and then convert chips back into cash at the end of the day. In this case, smart contracts handle conversions between ETH (cash) and “wrapped” ETH (chips).
The Ronin Network’s validators confirm these transactions before adding them to the Ethereum blockchain. Unfortunately, the network had just nine validators, making it susceptible to a “51% attack” where an agreement among just five of them could forge transactions. And worse, the proof-of-authority approach made the attack even easier.
On March 23, 2022, a North Korean hacking group named Lazarus compromised four of the nine validators. The group used their voting power to forge transactions, stealing 173,600 ETH and 25.5 million USDC worth more than $625 million. The problem went unnoticed until March 26, 2022, when Sky Mavin shut down withdrawals.
You can think of the theft as a casino losing $625 million worth of cash with its chips still in circulation. But, of course, the chips may no longer have their 1:1 value if there’s no cash backing them. So, to remedy the situation, the company is trying to come up with $625 million in cash to restore funds. Otherwise, it will have to devalue the tokens.
Axie Infinity’s Response
Sky Mavis recently increased the number of validators on its network to eleven and now requires consensus among at least ten to process transactions. In addition, the company is installing circuit breakers to monitor withdrawals and identify potential issues much sooner. And finally, it’s collateralizing parts of its treasury to create a safety net.
Of course, none of these actions replenish the already-lost funds. The company hopes to raise capital to address that shortfall. While $625 million is a high figure, the company has already raised $152 million in Series B funding and had a pre-hack valuation of around $3 billion, meaning it could have some wiggle room.
The good news is that crypto exchanges could recover some of these funds. For example, the hackers attempted to move their stolen funds into 86 Binance accounts that the exchange promptly seized, netting about $6 million in recovered funds. However, the hackers will likely divert most money into anonymous cryptocurrencies, like Tornado Cash.
Lessons for Crypto Enthusiasts
Axie Infinity’s Ronin hack was just the latest in a long trend of security breaches. For example, in August 2021, the Polygon Network lost $611 million, although the hacker returned most of the funds. Another famous example was the Wormhole heist, where hackers targeted a bridge to steal $326 million, but stakeholders eventually made everyone whole.
The biggest takeaway from these heists and others is that crypto projects rely on smart contracts and novel ideas. Unfortunately, smart contracts may contain bugs that turn into costly vulnerabilities like any software program. At the same time, hackers are constantly looking for ways to exploit novel ideas around consensus mechanisms.
You can avoid these problems in several ways:
- Diversify your cryptocurrency investments. So, if a single currency falls, you don’t lose everything.
- Cash-out P2E game earnings into stable cryptocurrencies, like Ethereum, regularly.
- Approach novel ideas around consensus mechanisms and smart contracts cautiously.
The silver lining of these attacks is that you may be able to write off your losses on your taxes—as long as they aren’t due to theft or physical loss. Unlike stocks and bonds, cryptocurrencies aren’t subject to the Wash Sale Rule that bars people from claiming deductions for a loss if they repurchase an identical asset within 30 days. So, you may offset any capital gains and up to $3,000 in ordinary income.
The Bottom Line
The Axie Infinity hack is a sobering reminder that the decentralized finance and play-to-earn ecosystem remain in their infancy. While they may attract billion-dollar valuations, the technology behind them is often susceptible to the same kinds of vulnerabilities as any other software. So, players and investors should tread cautiously.
If you invest in cryptocurrencies, ZenLedger can help you aggregate transactions across exchanges and wallets, compute your capital gains and losses, and auto-fill popular IRS forms. You can even integrate with TurboTax to automate the entire process while having a robust paper trail in place to defend yourself in the event of an audit.