Ronin Attack Shows Cross-Chain Crypto Is a ‘Bridge’ Too Far

Last week’s $625 million exploit of the Axie Infinity sidechain underscores the risks of sacrificing decentralization for scale, Ethereum boosters say.

AccessTimeIconApr 5, 2022 at 7:45 p.m. UTC

Sam is a reporter at CoinDesk focused on decentralized technology, DeFi and DAOs. He owns ETH, BTC and MATIC.

Sage D. Young is a tech protocol reporter at CoinDesk. He owns ETH, LINK, AAVE, PEOPLE, OS, and HTR as well as a few NFTs.

Crypto news seeped back into mainstream headlines last week with the disclosure of a $624 million heist from Axie Infinity’s Ronin Network. The attack targeted the Ronin Bridge, which enables users to pass funds between the Ronin network and Ethereum.

To some in the crypto world, the Ronin attack was evidence that the future of crypto, even if it is to be “multichain,” is unlikely to be “cross-chain.” With teams fleeing Ethereum for more centralized blockchains that are faster and cheaper, the Ronin attack also served as a reminder of decentralization’s importance.

This article originally appeared in Valid Points, CoinDesk’s weekly newsletter breaking down Ethereum’s evolution and its impact on crypto markets. Subscribe to get it in your inbox every Wednesday.

Ronin is a sidechain, or parallel network, to Ethereum. Sky Mavis, the company behind the wildly popular play-to-earn game Axie Infinity, created Ronin in 2020 after realizing Ethereum’s base layer was too slow and expensive to handle all the transactions required to power such a game.

When you look under the hood, bridges like Ronin’s typically work by locking up cryptocurrency in smart contracts on one chain, and then re-issuing those tokens in “wrapped” form on a destination chain. So for example, if you were to use the Ronin Bridge to move ether (ETH) from Ethereum to Ronin, ETH would get locked up on Ethereum to serve as 1:1 backing for wrapped ether (WETH) issued on Ronin.

With so much money locked up in one place, bridges have become popular targets for thieves. The Ronin attacker pulled off March’s exploit by obtaining five of the nine validator keys that are responsible for securing the Ronin network. By holding a majority of the keys, the attacker was able to maliciously withdraw piles of cryptocurrency straight from the Ronin Bridge into a rogue Ethereum wallet.

Once the full extent of the Ronin attack became public, it quickly took its throne atop the infamous Rekt leaderboard, which started ranking attacks on DeFi protocols in 2020 in terms of money lost.

Ronin was not the first, nor is it likely to be the last, crypto bridge looted for vast sums of cryptocurrency. Joining Ronin in the second and third slots of Rekt’s leaderboard are two more attacks on crypto bridges. In third place is February’s $311 million exploit of the Wormhole bridge. And in second place is the August 2021 attack on the Poly Network bridge, where a hacker famously stole $611 million only to give it all back.

Stay in your chain

With yet another crypto bridge getting exploited for hundreds of millions of dollars, many in the crypto community have quipped that the Ronin exploit is further evidence that “cross-chain” crypto is doomed to fail.

Some members of the Ethereum community have pointed to the words of Ethereum founder Vitalik Buterin, who described his feelings on the limits of cross-chain bridges in a January Reddit post.

“The fundamental security limits of bridges are actually a key reason why, while I am optimistic about a multi-chain blockchain ecosystem … I am pessimistic about cross-chain applications,” Buterin wrote.

Sending assets across cross-chain bridges will never carry the same security guarantees as transacting within individual blockchain ecosystems, he explained in the 900-word post.

Much of Buterin’s critique of cross-chain bridges stems from the fact that they are particularly vulnerable to 51% attacks like the one that afflicted the Ronin network. If a bridge is attacked on one blockchain and drained of funds, users on the other end of the bridge – on a totally different blockchain – are also affected, since they will be left holding tokens that are no longer backed by anything.

“If there are 100 chains, then there will end up being dapps with many interdependencies between those chains, and 51% attacking even one chain would create a systemic contagion that threatens the economy of that entire ecosystem,” Buterin wrote.

Sky Mavis tried to scale up its ability to operate on Ethereum by building out a sidechain (Ronin). But scaling a layer 1 blockchain via a sidechain – which will always require a bridge – will arguably never be as safe as scaling via solutions like rollups, which inherit their security guarantees from a layer 1 chain.

The value of decentralization

In addition to highlighting the shortcomings of cross-chain bridges, the Ronin attack validated another core thesis among Ethereum devotees – one which is shared by bitcoiners and crypto-idealists in general – which is that true decentralization is vitally important to the success of any crypto ecosystem.

Decentralization often gets lumped in with the politics and ideology of crypto’s Twitterati – framed as a promise to pull power away from institutions and middlemen and give it back to the little guy.

While appealing to some, arguments around the philosophical virtues of decentralization are a turn-off to those who think blockchains are just as corruptible as any other technology. Moreover, more and more crypto projects are emerging that throw decentralization to the wind, believing (perhaps rightfully) that today’s users don’t care about decentralization so long as they can transact quickly and cheaply – a shortcoming of Ethereum as it currently exists.

The Ronin attack reminds us that decentralization, regardless of what users might think, is of practical security importance for big-money applications. Sky Mavis moved from Ethereum to Ronin to speed transactions and cut costs. It achieved these goals (Ronin processed over 500% more transactions than Ethereum at its peak), but its centralized proof-of-authority model, where just nine validators were in charge of securing the whole network, left it vulnerable to attack.

Ethereum has major scalability shortcomings, and its slow pace migrating to Ethereum 2.0 has left room for more centralized chains like Ronin to emerge out of sheer necessity. Nevertheless, as “the Merge” inches closer, last month’s Ronin attack showed why the hard work of decentralization at scale remains important.

Pulse check

The following is an overview of network activity on the Ethereum Beacon Chain over the past week. For more information about the metrics featured in this section, check out our 101 explainer on Eth 2.0 metrics.

CoinDesk - Unknown

Valid Points Network Health 4.05

CoinDesk - Unknown

CoinDesk Validator Health 4.05

Disclaimer: All profits made from CoinDesk’s Eth 2.0 staking venture will be donated to a charity of the company’s choosing once transfers are enabled on the network.

Validated takes

Hedera Hashgraph enters the DeFi race by allocating $155 million for a “crypto economy fund.”

  • WHY IT MATTERS: Of the $155 million, $60 million will be dedicated for liquidity mining rewards for decentralized exchanges, and the other $95 million will be allocated for infrastructure-focused grants, according to HBAR Foundation Director Elaine Song’s interview with CoinDesk. These funds signal Hedera’s strategy to attract decentralized finance projects that are usable for the average retail user.

Several DeFi protocols were exploited for millions last week.

  • WHY IT MATTERS: Coming hot off the heels of Axie Infinity’s Ronin Network $624 million exploit, Ola Finance was exploited for $3.6 million in a re-entrancy attack, while Inverse Finance suffered a $15.6 million attack. The recent crypto exploits not only highlight how attackers are using advanced methods to execute their strategies, but they also remind us how thefts of large sums of money are commonplace in DeFi.

The U.K. government announced plans to make Britain a global crypto asset hub.

  • WHY IT MATTERS: Plans include recognizing stablecoins as a valid form of payment, commissioning the Royal Mint to create a non-fungible token this summer and exploring the transformative benefits of distributed ledger technology in U.K. financial markets. “This is part of our plan to ensure the U.K. financial services industry is always at the forefront of technology and innovation,” Chancellor of the Exchequer Rishi Sunak said.

Abra, a crypto brokerage platform, opened Abra Capital Management (ACM) to court high-net-worth clients who want a piece of the action in digital assets.

  • WHY IT MATTERS: ACM's intent is to give clients access to actively managed structured products and investment funds. Three of the five funds will target yield-generating opportunities in stablecoins, bitcoin (BTC) and ether (ETH). ACM is another signal of investor demand for exposure to this young asset class.

Factoid of the week

CoinDesk - Unknown

Valid Points Factoid 4.05

Open comms

Valid Points incorporates information and data about CoinDesk’s own Eth 2.0 validator in weekly analysis. All profits made from this staking venture will be donated to a charity of our choosing once transfers are enabled on the network. For a full overview of the project, check out our announcement post.

You can verify the activity of the CoinDesk Eth 2.0 validator in real time through our public validator key, which is:

0xad7fef3b2350d220de3ae360c70d7f488926b6117e5f785a8995487c46d323ddad0f574fdcc50eeefec34ed9d2039ecb.

Search for it on any Eth 2.0 block explorer site.

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Sam is a reporter at CoinDesk focused on decentralized technology, DeFi and DAOs. He owns ETH, BTC and MATIC.

CoinDesk - Unknown

Sage D. Young is a tech protocol reporter at CoinDesk. He owns ETH, LINK, AAVE, PEOPLE, OS, and HTR as well as a few NFTs.

CoinDesk - Unknown

Sam is a reporter at CoinDesk focused on decentralized technology, DeFi and DAOs. He owns ETH, BTC and MATIC.

CoinDesk - Unknown

Sage D. Young is a tech protocol reporter at CoinDesk. He owns ETH, LINK, AAVE, PEOPLE, OS, and HTR as well as a few NFTs.

Trending

1
CoinDesk - Unknown
CoinShares Completes Napoleon Acquisition, Can Now Offer Products Across EU

The acquisition of Napoleon Asset Management was subject to approval by the AMF, which was granted on June 28.

CoinDesk - Unknown
2
CoinDesk - Unknown
Coinbase Says Miners’ Sales of Newly Minted Bitcoins Don’t Add Significant Market Pressure

If all newly issued bitcoin were immediately sold onto the market each day, it would equate to only 900 BTC of selling pressure, the report said.

CoinDesk - Unknown
3
CoinDesk - Unknown
WonderFi Closes Acquisition of Crypto Trading Platform Coinberry

The Canadian crypto firm says it's open to more deals for firms hit by the crypto winter.

CoinDesk - Unknown
4
CoinDesk - Unknown
Crypto Lender Celsius Cuts 150 Jobs Amid Restructuring: Report

Withdrawals are still paused and the company has hired restructuring experts as it faces a financial crisis.

CoinDesk - Unknown