18/04/2022 North Korea, NFTs and a hit video game: inside a $500m cryptocurrency theft

Another high-profile hack has raised more questions about the vulnerabilities of the blockchain

“End users may not necessarily be cognizant of the security risks that they incur,” says Nicholas Christin.
Late last month, hackers made off with what was then worth more than $500m from the systems of cryptocurrency network Ronin, in what is believed to be the second-largest cryptocurrency theft on record.

Ronin was a juicy target for a hacker. The blockchain project supports the wildly popular Axie Infinity video game, which with an estimated8 million playershas drawn comparisons to action-driven collecting games like Pokémon Go.

Axie Infinity is hot and involves substantial sums of money. Players purchase creatures called Axies in the form ofNFTs, unique digital assets known as non-fungible tokens. The creatures can breed, battle and even be exchanged for cold, hard cash.

The game has swelled in popularity as players see the potential to earn real money. In 2020, one 22-year-old player from the Philippines reportedlybought two apartmentsin Manila with his earnings from the game. Last year, another player said heearned more through Axie Infinityand other online games than from his full-time job at Goldman Sachs.

But the underpinnings of the game face significant security challenges. To play, gamers must move their money from Ethereum to Ronin on a blockchain “bridge” system. Ronin is a “sidechain” of Ethereum – a scaling solution that allows transactions to happen faster than on Ethereum, which is congested by the amount of activity it hosts. Hosting the game on this sidechain ensures it can grow without losing functionality. Bridges can hold a lot of money at once, so by targeting the Ronin Bridge that transferred players’ assets between blockchains, hackers seized control of the assets and took off with the money.

In-game assets called ‘Axies’ are seen in this undated handout image from the blockchain-based game Axie Infinity

In-game assets called ‘Axies’ are seen in this undated handout image from the blockchain-based game Axie InfinityPhotograph: Sky Mavis/Reuters

The US governmentsaidthis week it believes North Korean hackers are behind the heist. But it’s just the latest in a string of brazen high-profile crypto thefts. In 2018, more than $530m was stolen from the crypto exchange Coincheck. In February, hackers made off with $320m from the decentralized finance platform Wormhole (though that loot was eventuallyreturned). And in that same month, in perhaps the most publicized cyber heist of the year, prosecutors charged odd couple Ilya “Dutch” Lichtenstein and his wife, Heather Morgan, – also known for her cringeworthy raps on TikTok under the name Razzlekhan – with conspiracy to launderbillions of dollars worth of bitcoinstolen from the crypto exchange Bitfinex in 2016.

It’s a trend.In 2021, $3.2bn in cryptocurrency was stolen from individuals and services, according to a crypto crime report by Chainalysis, a company that provides blockchain data and analysis to banks, governments and other businesses. (Ronin is alsoworking with Chainalysisto trace the funds stolen in the hack, according to Reuters.) The figure is almost six times this amount stolen in 2020. So far this year, more than $1bn has already been stolen, according to experts at Chainalysis and other security firms.

Vulnerabilities in smart contracts

The high-profile hacks and substantial sums of money involved have raised questions about how vulnerable the blockchain – long considered a secure place to store assets – is to such breaches.

Some experts say the rise in reports of cryptotheft come as cryptocurrency is more widely used and better understood than ever before.

“You basically have a lot of money on the table, and on a very public table,” said Nicholas Christin, an associate professor at Carnegie Mellon University who researches online crime and computer and network security. With large sums of money publicly moving around on these transparent systems, it can be enticing for a hacker to pounce.

To understand how these heists are possible, it’s important to distinguish between the blockchain and other programs that operate on top of it, experts say. The blockchain itself is a decentralized public ledger that allows for peer-to-peer transactions. It’s the foundational layer that bitcoin, Ethereum or Solana are built upon.

The second layer – the one that’s frequently exploited – are smart contracts that run on top of blockchains. Smart contracts are agreements in code that automatically execute when the terms of the contract are met. The common analogy is to a digital vending machine – select a product, put in the correct amount of money, and your item will be automatically dispensed. These contracts are irreversible.

The hackers weasel their way to the money through these second-layer systems by either taking advantage of bugs in the code, or getting hold of the private keys that will let them into the systems, explained Christin. Some hackers even subvert the smart contracts to redirect the funds into their hands.

In the Axie Infinity hack, which targeted the Ronin Bridge, the hacker obtained enough private keys to control the bridge and drain the funds. Since so many users had their assets in the bridge, the payout was massive.

“Underlying blockchain protocol is secure,” said Ronghui Gu, founder and CEO of the blockchain security firm Certik. “But the programs – the smart contracts – running on top of them are still like other normal programs, which can have software bugs and vulnerabilities.”

It’s common for hackers to try to exploit the code of one of their targets. And it helps that much of the code for blockchain programs is open source, making it easily accessible for hackers who want to look over the code and find potential bugs.

“In this world people say ‘in code we trust,’ but the code itself is indeed not that trustworthy,” said Gu. When he started his blockchain security firm in 2018, Gu explained, only a few companies used third-party security services like his to audit and assess their code – a critical security backstop – but he’s seen the number gradually tick up.

Crypto exchanges are also major targets for hacks. Exchanges are like banks, they’re central entities that hold massive amounts of their users’ money and transactions are irreversible. Like bridges, they are a middleman program that tends to be targeted. “Those big exchanges have a huge target on their back,” said Christin.

Victims left withbig security burden

Once crypto assets are stolen it can be a challenge for thieves to cash out, especially if the heist is in the nine-figure range. That means funds are often left in limbo for years, or even indefinitely. During that time, the value of the stolen funds can fluctuate due to the volatile nature of the crypto market.

The Chainalysis crypto crime report estimates that criminals are currently holding at least $10bn worth of cryptocurrency, the vast majority obtained through theft. Thanks to transparency on the blockchain, it’s possible to trace these transactions and holdings, but the identity of the perpetrator is hard to nail down until the funds are cashed out.

One can look to theBitfinex scandalas a case study in attempted laundering. “The funds didn’t move for an extremely long time. And then when they tried to initiate the laundering process, this was an opportunity for law enforcement to get involved again, because people are following these hacks,” said Kim Grauer, director of research at Chainalysis.

For victims of the schemes, there are few ways to recover assets. “If a bank’s security fails, it’s not that bad for the bank,” said Ethan Heilman, a cybersecurity expert and co-founder of the cloud service BastionZero. “But if you’re a cryptocurrency exchange and someone empties out all your cryptocurrency that’s really bad for you.” Banks have measures in place to protect their clients that the blockchain lacks. If one’s credit card is stolen, insurance policies ensure that one will usually receive that money back. On the blockchain, however, transactions are irreversible – there is no undo button.

That means there is a tremendous security burden on individual users to keep their assets safe. “End users may not necessarily be cognizant of the security risks that they incur,” said Christin. “Quite frankly, even people in the field don’t have time to necessarily go and review some smart contract source code.”

If one entrusts their keys to the wrong second-layer intermediary, it’s possible that they could be a victim of a heist. Collectively, most aren’t used to this responsibility.

Crypto companies are beginning to get more serious about security, Heilman said, but a world without hacks is not realistic, he added. “You never become secure, you just become more secure,” he said. “So given the ease of monetizing a vulnerability in one of these systems, I think that it is likely that we will continue to see things get hacked, and the question will not be, ‘is there a new hack this month?’ It will be: ‘how frequent are the hacks this month?’”

“There are important things that the industry needs to overcome in order to actually really grow and scale,” said Grauer, “because you can’t have a healthy growing industry if everyone is afraid of getting hacked.”

Arts

https://amp.theguardian.com/technology/2022/apr/16/nft-blockchain-north-korea-hack-ronin-axie-infinity

Interesting NFTs
Looked is not a reason #1/3
Your head turns away: O the new love! Your head turns back, - O the new love!
Reflection
#XCOPY #GIF #screen #time #mirror
Mars House
Mars House is the first NFT digital house in the world. Upon purchase of Mars House NFT, 3D files will be sent to the new owner by Krista Kim Studio Inc. for file upload to the owner’s Metaverse. Technical support for Mars House integration on Metaverse is provided. (Architectural Digest, March 14, 2021) “Kim ventured into NFTs while exploring meditative design during quarantine; her hope was to use the influx of digital life as an opportunity to promote wellbeing. Comprised entirely of light, the visual effects of her crypto-home are meant to omit a zen, healing atmosphere. The artist also partnered with musician Jeff Schroeder of The Smashing Pumpkins to create a calming musical accompaniment. So what makes the file a compelling purchase? Beyond the promise of buying into the lucrative NFT market, the home and all of the furniture in it can be built in real life by glass furniture-makers in Italy, as well as through MicroLED screen technology. Kim also has a strong visions the art being projected, as well. “Everyone should install an LED wall in their house for NFT art.” says the artist. “ This is the future, and Mars House demonstrates the beauty of that possibility.” The owner is in agreement to the following terms and conditions upon purchase of Mars House (hereby referred to as Mars House NFT): The collector agrees to own one copy of Mars House NFT on a single Metaverse platform. The collector is required to register Mars House NFT ownership with Krista Kim Studio Inc. Krista Kim Studio Inc. will provide technical support to upload and integrate Mars House NFT on a Metaverse platform. If/when Mars House is resold, the collector is required to delete all Mars House NFT 3D file(s) from his/her Metaverse, and provide verification of deletion to Krista Kim Studio Inc. before new 3D files are transferred to the new owner by the artist. The new owner is required to register Mars House NFT ownership with Krista Kim Studio Inc. Krista Kim Studio will send Mars House NFT 3D files directly to the new owner and provide support for Metaverse integration. This verified ownership transfer system will be appointed to Krista Kim Studio Inc. trusteeship, after 40 years of the date of the sale. Krista Kim Studio Inc. retains ownership of Mars House NFT copyright. All rights reserved. All reproductions of Mars House (NFT) in both digital and physical formats, are restricted. Mars House NFT physical furniture pieces, made of tempered printed glass in Italy, may be commissioned by the collector as NFT physical pieces.
Crypto Toy Coin
This piece represents the creation of a new "Visual Toy", a term created by me to encompass my unique and exclusive GIF-Arts. The latter, "Crypto Toy Coin" is the only and first in the cryptocurrency theme. In it I represent the fast-paced world of finance in the virtual environment, the Internet with its universe of colors and infinite visual impact, an optimistic and exciting future, a world of possibilities that opens before us. These "Visual Toys" invite you to imagine, that is their function, that is the game. The ultimate goal is that you imagine, that it is you who gives it meaning. There are no good or bad answers, just the projection of each one. I've only created the trigger, the piece where you can project your imagination and let it fly.
#96363
By OthersideDeployer