Online security

$625M Hack Highlights Crypto Security Issues

How to steal 625 million dollars? In the case of the Ronin Network, a cross-chain bridge that allows people to make payments on one blockchain using another’s cryptocurrency, you hack five passwords.

If that sounds a little light on the security front, welcome to crypto, where $14 billion was stolen, hacked, and scammed last year.

See also: PYMNTS Crypto Crime Series: Latest DeFi Hack Drains Record $625M

But the Ronin network hack showed a much bigger problem that crypto may have to contend with as more money pours into decentralized finance (DeFi) projects: If your morality is elastic enough, sometimes crime pays very, very well – and $625 million will rubber a lot of people’s morals.

This issue is one the payments industry will need to pay attention to, as it goes to the heart of the technology enabling blockchain transactions to scale to the point where they can compete with credit card networks and other payment rails.

“This hack reflects the ongoing challenges that blockchains and operators face in balancing user experience and security,” said Flora Li, head of the Research Institute at cryptocurrency exchange Huobi.

Ronin Network is the underlying blockchain behind Axie Infinity, by far the best blockchain-based massively multiplayer online (MMO) game for the convenience of its more than eight million players.

The problem, Li explained, is that the game “exploded in popularity and saw a rapid influx of users onto the Ronin blockchain”, and the developers “took shortcuts to relieve network bottlenecks, reducing the number of nodes that needed to be validated for transactions [to be added to the blockchain] just five out of nine nodes, making it easy for hackers to exploit. »

Read more: The 51% Attack: Crypto’s Double-Spend Achilles’ Heel

It’s the dirty little secret of crypto, which likes to tout the immutability of the permanent, immutable blockchain. While this isn’t false, what it doesn’t say is that current and recent transactions aren’t as secure.

And even worse, taking control of a blockchain project allows you to rewrite its rules – which is apparently what happened to the Ronin network.

Big stakes

The blockchain technology in question is called proof-of-stake, or PoS, and it’s the consensus mechanism used to secure virtually every DeFi project — and really every crypto project — for the past two years.

Related: PYMNTS Crypto Basics Series: What is a consensus mechanism and why is it destroying the planet?

You can go into detail using the link above, but the crux of the matter is that PoS is what allows new blockchains to avoid the energy-intensive and polluting mining that powers Bitcoin.

PoS replaces Bitcoin miners, which compete to validate transactions, add them to the blockchain, and collect a reward in newly minted tokens. In the blockchain, randomness is the key to security – no one knows who is going to approve a specific transaction.

Instead of running to solve a puzzle, like miners, PoS blockchains use randomly selected validators that set up a “stake” similar to the bonds criminal defendants set up to get out on bail. – a guarantee that they will appear at trial.

Like bail-jumpers, validators can be penalized by having their stake “reduced” for bad behavior, ranging from letting the network go down to approving bad transactions.

However, the problem isn’t that sometimes it’s worth skipping — it’s that if there are too few validators, it’s too easy to skip.

This is where we come back to the fact that the Ronin thief only had to hack five passwords. With just nine validators maintaining the project and well over half a billion dollars at stake, controlling more than half required a relatively small amount of phishing.

bad actors

There is, however, another potential flaw with an undersized PoS blockchain that does not rely on hacking. Bad actors don’t have to be strangers.

Let’s stop to be very clear: no one has even suggested that Ronin Blockchain validators are anything other than victims, but the thought exercise is easy enough to follow.

To become a validator on many decentralized blockchains, all you have to do is set up a node – a computer running a copy of the blockchain – and set up a stake.

Typically, that’s not really a whole lot of money – in the five-digit range – of the native blockchain token. If you configure enough nodes, you can overwhelm the “good” nodes.

It’s not that simple, of course. For one thing, staking usually involves many token holders “delegating” their tokens to the staker in exchange for a portion of the rewards. Although randomly chosen to validate a block, validators are selected in proportion to their stake size – someone with 5% of the total amount wagered will be chosen to validate 5% of new blocks.

Other options, other problems

An alternative is Delegated Proof of Stake (DPoS), in which token holders vote out of a set number of delegates, with the primary vote holders becoming the validators. If that sounds better, it’s not.

See also: Voting power battles DeFi efforts to gain wider acceptance

An example is Steem, a DPoS blockchain running a social media project. It was run by governance tokens, whose owners voted for “witnesses,” with the top 20 acting as validators.

When a wealthy investor bought a large majority, witnesses froze his token votes. He then garnered enough votes to replace the witnesses, reverse action, and regain control of Steem. Although no user funds were lost, overwhelming numbers decamped to a new version created by forking the blockchain.

Nor is mining-style proof of work, or PoW, a panacea. An offshoot of Ethereum, Ethereum Classic, suffered several 51% attacks when bad actors were able to hire enough mining power to take control.

A balance exercise

The problem in Ronin’s case boiled down to centralization – or rather the lack of decentralization. It comes down to a common compromise in blockchain technology that Ethereum creator Vitalik Buterin called the “Blockchain Trilemma.”

Basically, it is said that the three aspects of blockchain – decentralization, security and speed – require a trade-off which means that two can only be improved at the expense of a third. As such, blockchain design is a balancing act.

Improving decentralization means more nodes, which slows down the speed of consensus in the consensus mechanism – all nodes must accept the block offered by the validator.

Scalability means the number of transactions per second the blockchain can handle. Making it more decentralized and secure reduces its scalability. Security, of course, requires more decentralization, but reduces speed and scalability.

That said, it’s also easy to read too much into the security issues displayed by the Ronin Network hack. Most of the best PoS blockchains have many more validators, and when Ethereum moves from mining to staking in the Ethereum 2.0 project, its number will be huge. It also claims that it will be able to handle 100,000 transactions per second.

However, if you’re considering putting payments on a blockchain, know what you’re getting into and don’t buy into the unchanging hype.



On: Patient portals have become a must-have for providers, so much so that 61% of patients interested in using the tools say they would choose a provider that offers one. For Accessing Healthcare: Easing Digital Frictions In The Patient Journey, a collaboration between PYMNTS and Experian Health, PYMNTS surveyed 2,333 consumers to learn how healthcare providers can ease digital pain points to improve care and satisfaction. patients.