Ronin Attack Shows Cross-Chain Crypto Is a ‘Bridge’ Too Far

Last week’s $625 million exploit of the Axie Infinity sidechain underscores the risks of sacrificing decentralization for scale, Ethereum boosters say.

AccessTimeIconApr 5, 2022 at 7:45 p.m. UTC
Updated Apr 25, 2023 at 7:26 p.m. UTC
Layer 2
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Crypto news seeped back into mainstream headlines last week with the disclosure of a $624 million heist from Axie Infinity’s Ronin Network. The attack targeted the Ronin Bridge, which enables users to pass funds between the Ronin network and Ethereum.

To some in the crypto world, the Ronin attack was evidence that the future of crypto, even if it is to be “multichain,” is unlikely to be “cross-chain.” With teams fleeing Ethereum for more centralized blockchains that are faster and cheaper, the Ronin attack also served as a reminder of decentralization’s importance.

This article originally appeared in Valid Points, CoinDesk’s weekly newsletter breaking down Ethereum’s evolution and its impact on crypto markets. Subscribe to get it in your inbox every Wednesday.

Ronin is a sidechain, or parallel network, to Ethereum. Sky Mavis, the company behind the wildly popular play-to-earn game Axie Infinity, created Ronin in 2020 after realizing Ethereum’s base layer was too slow and expensive to handle all the transactions required to power such a game.

When you look under the hood, bridges like Ronin’s typically work by locking up cryptocurrency in smart contracts on one chain, and then re-issuing those tokens in “wrapped” form on a destination chain. So for example, if you were to use the Ronin Bridge to move ether (ETH) from Ethereum to Ronin, ETH would get locked up on Ethereum to serve as 1:1 backing for wrapped ether (WETH) issued on Ronin.

With so much money locked up in one place, bridges have become popular targets for thieves. The Ronin attacker pulled off March’s exploit by obtaining five of the nine validator keys that are responsible for securing the Ronin network. By holding a majority of the keys, the attacker was able to maliciously withdraw piles of cryptocurrency straight from the Ronin Bridge into a rogue Ethereum wallet.

Once the full extent of the Ronin attack became public, it quickly took its throne atop the infamous Rekt leaderboard, which started ranking attacks on DeFi protocols in 2020 in terms of money lost.

Ronin was not the first, nor is it likely to be the last, crypto bridge looted for vast sums of cryptocurrency. Joining Ronin in the second and third slots of Rekt’s leaderboard are two more attacks on crypto bridges. In third place is February’s $311 million exploit of the Wormhole bridge. And in second place is the August 2021 attack on the Poly Network bridge, where a hacker famously stole $611 million only to give it all back.

Stay in your chain

With yet another crypto bridge getting exploited for hundreds of millions of dollars, many in the crypto community have quipped that the Ronin exploit is further evidence that “cross-chain” crypto is doomed to fail.

Some members of the Ethereum community have pointed to the words of Ethereum founder Vitalik Buterin, who described his feelings on the limits of cross-chain bridges in a January Reddit post.

“The fundamental security limits of bridges are actually a key reason why, while I am optimistic about a multi-chain blockchain ecosystem … I am pessimistic about cross-chain applications,” Buterin wrote.

Sending assets across cross-chain bridges will never carry the same security guarantees as transacting within individual blockchain ecosystems, he explained in the 900-word post.

Much of Buterin’s critique of cross-chain bridges stems from the fact that they are particularly vulnerable to 51% attacks like the one that afflicted the Ronin network. If a bridge is attacked on one blockchain and drained of funds, users on the other end of the bridge – on a totally different blockchain – are also affected, since they will be left holding tokens that are no longer backed by anything.

“If there are 100 chains, then there will end up being dapps with many interdependencies between those chains, and 51% attacking even one chain would create a systemic contagion that threatens the economy of that entire ecosystem,” Buterin wrote.

Sky Mavis tried to scale up its ability to operate on Ethereum by building out a sidechain (Ronin). But scaling a layer 1 blockchain via a sidechain – which will always require a bridge – will arguably never be as safe as scaling via solutions like rollups, which inherit their security guarantees from a layer 1 chain.

The value of decentralization

In addition to highlighting the shortcomings of cross-chain bridges, the Ronin attack validated another core thesis among Ethereum devotees – one which is shared by bitcoiners and crypto-idealists in general – which is that true decentralization is vitally important to the success of any crypto ecosystem.

Decentralization often gets lumped in with the politics and ideology of crypto’s Twitterati – framed as a promise to pull power away from institutions and middlemen and give it back to the little guy.

While appealing to some, arguments around the philosophical virtues of decentralization are a turn-off to those who think blockchains are just as corruptible as any other technology. Moreover, more and more crypto projects are emerging that throw decentralization to the wind, believing (perhaps rightfully) that today’s users don’t care about decentralization so long as they can transact quickly and cheaply – a shortcoming of Ethereum as it currently exists.

The Ronin attack reminds us that decentralization, regardless of what users might think, is of practical security importance for big-money applications. Sky Mavis moved from Ethereum to Ronin to speed transactions and cut costs. It achieved these goals (Ronin processed over 500% more transactions than Ethereum at its peak), but its centralized proof-of-authority model, where just nine validators were in charge of securing the whole network, left it vulnerable to attack.

Ethereum has major scalability shortcomings, and its slow pace migrating to Ethereum 2.0 has left room for more centralized chains like Ronin to emerge out of sheer necessity. Nevertheless, as “the Merge” inches closer, last month’s Ronin attack showed why the hard work of decentralization at scale remains important.

Pulse check

The following is an overview of network activity on the Ethereum Beacon Chain over the past week. For more information about the metrics featured in this section, check out our 101 explainer on Eth 2.0 metrics.

Valid Points Network Health 4.05
Valid Points Network Health 4.05
CoinDesk Validator Health 4.05
CoinDesk Validator Health 4.05

Disclaimer: All profits made from CoinDesk’s Eth 2.0 staking venture will be donated to a charity of the company’s choosing once transfers are enabled on the network.

Validated takes

Hedera Hashgraph enters the DeFi race by allocating $155 million for a “crypto economy fund.”

  • WHY IT MATTERS: Of the $155 million, $60 million will be dedicated for liquidity mining rewards for decentralized exchanges, and the other $95 million will be allocated for infrastructure-focused grants, according to HBAR Foundation Director Elaine Song’s interview with CoinDesk. These funds signal Hedera’s strategy to attract decentralized finance projects that are usable for the average retail user.

Several DeFi protocols were exploited for millions last week.

  • WHY IT MATTERS: Coming hot off the heels of Axie Infinity’s Ronin Network $624 million exploit, Ola Finance was exploited for $3.6 million in a re-entrancy attack, while Inverse Finance suffered a $15.6 million attack. The recent crypto exploits not only highlight how attackers are using advanced methods to execute their strategies, but they also remind us how thefts of large sums of money are commonplace in DeFi.

The U.K. government announced plans to make Britain a global crypto asset hub.

  • WHY IT MATTERS: Plans include recognizing stablecoins as a valid form of payment, commissioning the Royal Mint to create a non-fungible token this summer and exploring the transformative benefits of distributed ledger technology in U.K. financial markets. “This is part of our plan to ensure the U.K. financial services industry is always at the forefront of technology and innovation,” Chancellor of the Exchequer Rishi Sunak said.

Abra, a crypto brokerage platform, opened Abra Capital Management (ACM) to court high-net-worth clients who want a piece of the action in digital assets.

  • WHY IT MATTERS: ACM's intent is to give clients access to actively managed structured products and investment funds. Three of the five funds will target yield-generating opportunities in stablecoins, bitcoin (BTC) and ether (ETH). ACM is another signal of investor demand for exposure to this young asset class.

Factoid of the week

Valid Points Factoid 4.05
Valid Points Factoid 4.05

Open comms

Valid Points incorporates information and data about CoinDesk’s own Eth 2.0 validator in weekly analysis. All profits made from this staking venture will be donated to a charity of our choosing once transfers are enabled on the network. For a full overview of the project, check out our announcement post.

You can verify the activity of the CoinDesk Eth 2.0 validator in real time through our public validator key, which is:

0xad7fef3b2350d220de3ae360c70d7f488926b6117e5f785a8995487c46d323ddad0f574fdcc50eeefec34ed9d2039ecb.

Search for it on any Eth 2.0 block explorer site.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Sam Kessler

Sam is CoinDesk's deputy managing editor for tech and protocols. He reports on decentralized technology, infrastructure and governance. He owns ETH and BTC.

Sage D. Young

Sage D. Young was a tech protocol reporter at CoinDesk. He owns a few NFTs, gold and silver, as well as BTC, ETH, LINK, AAVE, ARB, PEOPLE, DOGE, OS, and HTR.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.