This week in crypto: $625 million to learn the most basic lesson in crypto
We’ve seen so many big hacks and exploits over the last few years that many of them just fade into the background. But this one… this one is important.
Okay, it’s time for me to make another Steve Ballmer meme…
Well that was 45 minutes of my life well spent.
Why am I bringing the great Steve Ballmer back out?
Because this week, we saw the biggest hack in history (again). Ethereum Sidechain, and scaling solution for the Axie Infinity game, Ronin was hacked for around $625 million in Eth and USDC.
We’ve seen so many big hacks and exploits over the last few years that many of them just fade into the background.
Or sometimes Netflix or the BBC picks one at random to make a series about.
But this one… this one is important. And not because it’s the biggest one on record. I’m sure that record won’t last long. It never does.
No, this one is important because Ronin broke the #1 rule of crypto, which is…
The entire world of crypto is built upon the foundation of decentralisation.
To understand how intrinsic the idea of decentralisation is to crypto, please read my article: Everything you need to know about crypto in one essay. Or at least scan it.
But basically, if you don’t have decentralisation, your blockchain, DLT, DAG, you name it, is just an inefficient database. You might as well build it in Microsoft Excel.
And that brings us back to the much discussed, but still unsolved blockchain trilemma.
It’s like the good, fast cheap trilemma for real-world projects. (You can only pick two of the three.)
But the blockchain trilemma is decentralisation, scalability and security.
You’ll have seen me writing about the trilemma in almost every single one of my crypto deep dives.
That’s because every new kid on the crypto block claims to have solved it. And, honestly, none of them have yet. Not a single one.
Some of them are well on the way… Radix, Aleph Zero, Solana, Algorand.
But none of them have achieved it yet.
Most new cryptos, and virtually every single Ethereum scaling solution/sidechain/layer-2 sacrifices decentralisation, security or both to achieve scalability.
The reason they do this is because their sole purpose is to help Ethereum scale… or to compete with Ethereum. And Ethereum’s main drawback is it doesn’t scale.
It maxed out its decentralisation and security attributes and left nothing in the tank for scalability. Just like Bitcoin.
And that’s okay, because the narrative of Ethereum now is that it will never scale because it doesn’t have to. It will use layer-2s to scale instead.
Bitcoin changed its narrative from “peer to peer money” to “store of value”. So why can’t Ethereum?
Ethereum’s new narrative is why layer-2s like Polygon (which I wrote about here a few weeks back), Loopring, Skale, etc. have been the flavour of the month.
Read most any article in legacy media outlets and they’ll mention how Ethereum can’t scale, but layer-2s will save the day.
They’re gonna save Ethereum! (And make the people who hype them up rich in the process.)
In fact, I have a strong suspicion that most of the people who hype up layer-2s in legacy media are getting their crypto information from a source that’s heavily invested in layer-2s.
Not that they realise. The journalists usually just don’t know enough about crypto to know they’re being used. I mentioned this when I wrote about Polygon.
Anyway, to get back to the topic at hand. Too many darling crypto projects today don’t care about decentralisation… even though it is the basis of crypto.
Case in point: Ronin’s network only has nine validators.
If you can take control of five of them, you can… well, you can transfer 173,000 Ethereum and 22.5 million USDC, worth a total of about $625 million, to your own wallet.
Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO.
So the makers of Ronin (Sky Mavis) decided nine validators would provide enough decentralisation. And they also decided that they would be fine controlling four of them.
So the hacker only really had to hack two validators to take control of the network, Sky Mavis and whoever else was an easy target.
In Sky Mavis’ explanation of the hack, it says, seemingly without a hint of irony: “The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one.”
Nine validators is NOT decentralised… especially when one company controls four of them and the threshold to take control of the entire network is five.
I feel like I should provide some perspective here to show how crazy it is to rely on just nine validators.
From my Fantom deep dive:
There are only 66 Fantom validators. And 14 of them are out of action. So there are really only 52 Fantom validators.
This is kind of insane.
At Fantom’s current price, you could spend less than $50 million, make a load of new validators and control more than 1/3 of the network required to take it over.
(Assuming people eventually delegated their stakes to you in the same numbers they delegate to other validators.)
From Fantom’s whitepaper: “Our Lachesis protocol is 1/3-BFT, which requires less than one-third of nodes are malicious.”
And considering the Fantom network is currently worth over $5.5 billion… you could probably make a ton of money from that $50 million attack. …
And taking away all the hypothetical security concerns, there is another, potentially even bigger issue with this approach.
It is centralised.
And centralisation is the antitheses of crypto.
52 validators is nothing.
It’s barely more than Binance Smart Chain’s 21 validators. And everyone hates on Binance Smart Chain because it is centralised.
To put Fantom’s 52 validators into perspective…
Polkadot has 297 validators, but plans to increase it to more than 1,000.
Tezos has over 400 validators.
Avalanche has over 1,000 validators.
Cardano has over 2,900 validators.
And Ethereum 2.0 – which isn’t even merged with the main-chain yet – already has over 200,000 validators.
Oh, and let’s not forget Solana, which people say is too centralised because you need an expensive computer to become a validator. It has 1,234 validators.
Now do you see why only having 52 validators is a massive issue?
It’s such a big issue that it’s hard to overlook.
Fantom is barely more decentralised than Binance Coin. I mean… wow.
Meanwhile Ronin has a whopping nine validators. Nine.
And people are trusting it with hundreds of millions of dollars.
But Ronin’s laughable lack of decentralisation and security isn’t the exception, it’s the rule
Ronin might be bad. But Polygon – the 16th biggest crypto on the planet, worth a current $13 billion – is even worse.
(I don’t know why I’ve been picking on Polygon so much over the last few issues. It just seems to be the poster child of the current layer-2 craze. It pops up everywhere.)
As the crypto researcher, Justin Bons pointed out on twitter:
Polygon in its current state is insecure and centralized! It would only take five people to compromise over $5 billion! Four of those people are the founders of Polygon! This is one of the largest hacks or exit scams just waiting to happen.
He wrote a whole thread on it.
And if you take a look on Layer-2 beat, you’ll see that almost all of the top Ethereum layer-2s have “critical” security risks.
See all that red?
Meanwhile, people are trusting their networks with tens of millions, hundreds of millions, even billions of dollars:
What’s the solution?
I guess, just wait until enough of these large-scale hacks happen and force projects to take security and decentralisation seriously again.
But then how will they scale?
Well, that’s why they call it a trilemma.
But it’s not all bad news. The fact the trilemma hasn’t been solved just shows how early we are.
Eventually, a crypto will come along that does solve the trilemma, for real this time, and change the game.
Like I said, I’ve seen quite a few with great prospects, take a look at my deep dives on Radix, Solana, Algorand and Aleph Zero for more on that. But as you’ll see, they’re all still a ways off yet.
And that’s not to say I don’t think Ethereum will continue to be the #1 smart contract crypto. I think it’s going to stay that way for a long time yet, maybe forever. But the race for second place is wide open.
Now, do you want to know the craziest thing about that Ronin hack?
It’s not the amount of money involved. It’s the fact it took a full six days before anyone even knew any money was gone.
I saw some (very likely untrue) rumours that the hacker shorted Axie Infinity when they executed the hack.
That way they could make some non-illegal money from their criminal exploits, too. And maybe get to keep it.
Remember, Ronin is an Ethereum sidechain designed as a scaling solution for Axie Infinity. So you would expect Axie’s AXE token to tank on news of the hack.
But no one noticed… in fact, AXE actually went up in value over those six days. So the hacker’s short position got liquidated.
Like I said, very likely untrue. But it didn’t stop the jokes:
Okay, that’s all for today.
I’ll be back next week with a crypto-wide news issue. There have been some big goings on with EU crypto legislation, and a lot of new VC money entering the industry.
Plus, I’ll be reporting on the latest from IOTA, Terra and Solana.
See you then.
Thanks for reading.
Full disclosure: At time of writing, I held the following cryptos: Ethereum, IOTA, Radix, Mina Protocol, Aleph Zero.
Disclaimer: This content does not constitute financial advice, tax advice or legal advice. Your money and how you choose to spend it is your responsibility. Nothing that appears here should be construed as investment advice or recommendations to buy or sell any securities, cryptos or investments. coin confidential does not offer investment advice. We merely provide information. Crypto investing is highly risky. You should not base any investment decision solely on information we publish. We believe all information we publish to be accurate, but we cannot guarantee it. Always do your own research before making any decisions about your money. See the full disclaimer for more.
Subscribe for exclusive content
The best newsletter in crypto, or your money back (it's free).