- Three experts explain how a hacker stole over $600 million of tokens from Axie Infinity's Ronin Network last month.
- They attributed the attack to human error and social engineering rather than any fault in the blockchain technology.
- "If consumers aren't protected from things like this, the industry is going to fail."
The massive Ronin Network crypto heist shouldn't be a deterrent to widespread crypto adoption, according to experts, who faulted a lack of cybersecurity rather than a flaw in blockchain technology.
Ronin is a blockchain protocol linked to Axie Infinity, a popular play-to-earn game with $4 billion in NFT sales that sees over 2.8 million players logging on each day. Ronin said in a Tuesday blog post that the attacker stole roughly $625 million in crypto, draining 173,600 ether and 25.5 million USDC.
The heist, which wasn't detected until almost a week after it occurred, is believed to be one of the biggest in the history of crypto and highlights the sector's immense risks.
"A hack used to mean loss of passwords and usernames, but in the age of crypto it means the loss of life savings," Ari Redbord, head of legal and government affairs at blockchain research firm TRM, told Insider. "Bank robbery at the speed of the internet."
Crypto heist exploited key oversight
Sky Mavis, the developer behind Axie Infinity, built a "side chain" — a secondary blockchain for faster, cheaper transactions — since transactions on the ethereum blockchain are expensive.
The side chain had nine so-called validator nodes, which are proof-of-stake tools that confirm transactions. At least five are necessary to approve each transaction. Sky Mavis oversaw five, and Axie Decentralized Autonomous Organization controlled four. Sky Mavis said it discontinued its agreement with the DAO in December but never revoked the permissions it allowed.
The hacker took over four of Sky Mavis' validator nodes and one from Axie DAO, enabling access to the crypto and eventually the massive theft. Sky Mavis said it has since replaced all of its validators and is working to reimburse the stolen funds.
Max Galka, CEO of crypto forensics firm Elementus, pointed to the lapsed DAO deal as a major oversight, noting that vulnerabilities arise when cryptocurrencies are stored in side chains rather than native blockchains.
"They never removed what was meant to be a temporary measure. It was an outright error," he told Insider.
Social engineering
The Ronin Network said all evidence suggests the attack was socially engineered, meaning individuals were targeted via emails or phishing and tricked into giving a hacker access.
"It was pure human error," Amber Ghaddar, founder of decentralized finance firm AllianceBlock, told Insider, adding that social engineering is one of the most common drivers of cybercrimes.
"If consumers aren't protected from things like this, the industry is going to fail," she said.
Hackers will keep using social engineering until it stops being effective, but this isn't reason to be skeptical of cryptocurrency as a technology, said Redbord.
All three experts agreed that the blame doesn't lie in the blockchain, as it's already an extremely secure mechanism that offers traceable transactions, transparency, and decentralization.
"Really what we're seeing is a cybersecurity issue, not a cryptocurrency issue," Redbord said. "The government is calling for crypto regulation, but really what would help is a hardening of cyberdefenses, rather than focusing on crypto."
Solutions could include funding for additional intelligence tools as well as more robust and pervasive cybersecurity networks, he said. Ghaddar added that educational outreach for companies and individuals could bolster existing defense systems.
"Attacks like this are concerning, but I believe in the promise of crypto," Redbord said. "We need to focus on building out a trust layer in the crypto economy — anti-money laundering infrastructure, compliance controls, cybersecurity — so that people will interact with this new online financial system."