Last week Sky Mavis, the Vietnam-based company behind the crypto game Axie Infinityrevealed that a hacker stole hundreds of millions of dollars worth of crypto from its blockchain. Sky Mavis realized it had been attacked when a user could not make a withdrawal six days after the breach, and the company froze transactions on its compromised Ronin Network bridge.
Now Sky Mavis has announced it’s received $150 million in investments that “will be used to ensure that all users affected by the Ronin Validator Hack will be reimbursed.” At nearly the exact same time, it’s launching a new version of the game, Axie Infinity: Origin. According to Sky Mavis CEO Trung Nguyen, “As a team, we have made an intentional decision to focus on what lies ahead.”
Other crypto companies that work with Axie Infinity and Sky Mavis — and have enormous sums tied up in Web3 and NFTs — lead the list of names that bought in to bail out Sky Mavis instead of potentially seeing it collapse. The list includes crypto exchange Binance, Web3-promoting venture capital firm A16z, and Animoca Brands, which owns The Sandbox, among several others.
Now Sky Mavis says that it plans to reopen the Ronin Network bridge after it undergoes a security upgrade and audits to try and detect if there are other weaknesses. Binance (which just invested in the game) has reopened transactions with the network, and according to the exchange, that means “all individual users will be able to withdraw their funds.”
The Sky Mavis team says the March 23rd heist (that, again, went unnoticed until March 29th when a user tried to withdraw funds and couldn’t) was “socially engineered,” taking advantage of vulnerabilities from trade-offs made while attempting to reach mainstream adoption. While they remain committed to making players whole using their own funds combined with the investments, the 56,000 Ether nicked from the Axie Infinity DAO’s treasury will remain “undercollateralized” while the company and law enforcement try to get the crypto back. Their plan is to wait two years and then have the DAO vote on what to do next.
As far as the stolen funds, about 168k Ether (worth over $540 million at this writing) remain in the wallet where the thief or thieves left them. Attempting to launder a haul of that size is a problem since anyone can see transactions made on the blockchain. As we detailed in 2013, while crypto mixers or tumblers can help obscure the source of funds, law enforcement organizations are focusing on them even more carefully, and washing such an enormous sum could take a long time.
A report by The Wall Street Journal cites the CEO of bug bounty platform Immunefi saying that moving this much money through a tumbler could take years. Industry watchers like Peckshield continue to post alerts in real time as small fractions of the stolen crypto shift out of the thief’s account to other wallets and into mixers like Tornado Cash.
Nguyen says that the Ronin Network will expand the number of validator nodes on its proof-of-stake blockchain network over the next three months from five to 21 to strengthen security. Having fewer nodes to review transactions makes things faster and more efficient. Still, it can be a security risk if someone compromises enough of them — in this case, the attacker took over five of the nine nodes and could withdraw any funds they wanted.
Before the hack occurred, Axie Infinity was already suffering from a 45-percent drop in daily active users, as reported by Bloombergand in-game economy issues that caused operators to cut the amount of SLP tokens players could earn through PVE play each day (the lure of the game is that you can play to earn money using NFT characters you’ve purchased access to) in half, “with the long term health of the ecosystem in mind.”
Despite the theft, the company just launched an “Early Access” alpha version of its next game, Axie Infinity: Origin (another planned spin-off, Landwill invite players to take on the fun role of “land barons.” This new “ecosystem experience” is supposed to be more welcoming to a worldwide audience (Axie Infinity claims over 2.2 million monthly active players, and a player tracker indicates about 40 percent are in the Phillippines, where many rely on it as a full-time job), with “brand new interfaces, game mechanics, art, special effects, storylines, and an expansive onboarding experience.”
Most importantly, unlike the base game, players will start with three free “axies” to do battle with. While their free axies don’t allow participation in the “earn” part of “play to earn,” the idea is that it’s a way for people to try out the game without having to buy an NFT character or rent one from a manager player who leases access in exchange for a cut of earnings. As the announcement mentions, “Finally new players will be able to learn the game, and fall in love with the universe before needing to touch crypto and NFTs!”
The developers say that the current Battles v2 (Classic) version of the game will remain live until they complete testing, then deprecate the old version and move token rewards into Origins, removing the valuable incentive to play the older game. Any players enticed into creating a Ronin wallet and funding it with cryptocurrency to buy axies can have their minds eased that users will be reimbursed after the big heist, but is that enough to make anyone confident it won’t happen again?