How do you steal $625 million? In the case of the Ronin Network, a cross-chain bridge that lets people make payments on one blockchain using cryptocurrency from another, you hack five passwords.<\/p>\n
If that seems a bit light on the security front, welcome to crypto, where $14 billion was stolen, hacked and scammed last year.<\/p>\n
See also:<\/strong> PYMNTS Crypto Crime Series: Latest DeFi Hack Drains Record $625M<\/a><\/p>\n But the Ronin Network hack showed a far bigger problem that crypto may have to confront as more and more money gets poured into decentralized finance (DeFi) projects: If your morals are elastic enough, sometimes crime pays very, very well \u2014 and $625 million will rubberize a lot of people\u2019s morals.<\/p>\n This problem is one that the payments industry will have to pay attention to, as it goes to the heart of the technology permitting blockchain transactions to scale to the point where they can compete with credit card networks and other payments rails.<\/p>\n \u201cThis hack reflects the continuing challenges that blockchains and operators face in balancing user experience and security,\u201d said<\/a> Flora Li, head of the Huobi cryptocurrency exchange\u2019s Research Institute.<\/p>\n Ronin Network is the blockchain underlying Axie Infinity, far and away the top blockchain-based massively multiplayer online (MMO) game, for the convenience of its eight million-plus players.<\/p>\n The problem, Li explained, is that as the game \u201cexploded in popularity and saw a rapid influx in users on the Ronin blockchain,\u201d and the developers \u201ctook shortcuts to relieve network bottlenecks, cutting down the number of nodes that needed to be validated for transactions [to be added to the blockchain] to just five of nine nodes, making it easier for hackers to exploit.\u201d<\/p>\n Read more:<\/strong> The 51% Attack: Crypto\u2019s Double-Spending Achilles Heel<\/a><\/p>\n That\u2019s the dirty little secret of crypto, which likes to tout the immutability of the permanent and unchangeable blockchain. While that\u2019s not wrong, what it doesn\u2019t say is that current and recent transactions aren\u2019t nearly as secure.<\/p>\n And even worse, taking control of a blockchain project allows you to rewrite its rules \u2014 which is apparently what happened to the Ronin Network.<\/p>\n Big Stakes<\/strong><\/p>\n The blockchain technology in question is called proof-of-stake, or PoS, and it\u2019s the consensus mechanism used to secure virtually all DeFi projects \u2014 and really all crypto projects \u2014 in the past couple of years.<\/p>\n Related:<\/strong> PYMNTS Crypto Basics Series: What\u2019s a Consensus Mechanism and Why Is It Destroying the Planet?<\/a><\/p>\n You can get into the details using the link above, but the core point is that PoS is what lets new blockchains avoid the energy-intensive, pollution-belching mining that powers Bitcoin.<\/p>\n PoS replaces Bitcoin\u2019s miners, who compete to validate transactions, add them to the blockchain and collect a reward in newly-minted tokens. In blockchain, randomness is key to security \u2014 no one knows who\u2019s going to be approving any specific transaction.<\/p>\n Instead of racing to solve a puzzle, like miners, PoS blockchains use randomly selected validators who put up a \u201cstake\u201d that is similar to the bonds criminal defendants put up to be allowed out on bail \u2014 a surety that they will show up for trial.<\/p>\n Like bail-jumpers, validators can be penalized by having their stake \u201cslashed\u201d for bad behavior, ranging from letting the network go down to approving bad transactions.<\/p>\n However, the problem isn\u2019t that it\u2019s sometimes worth jumping \u2014 it\u2019s that if there are too few validators, it\u2019s too easy to jump.<\/p>\n Which is where we get back to that fact that the Ronin thief only had to hack five passwords. With only nine validators maintaining the project, and well over a half billion dollars on the line, controlling more than half took a comparatively small amount of phishing to accomplish.<\/p>\n Bad Actors<\/strong><\/p>\n There\u2019s another potential flaw with too small a PoS blockchain that doesn\u2019t rely on hacking, however. Bad actors don\u2019t have to be outsiders.<\/p>\n Let\u2019s pause to be very clear: No one has even suggested the Ronin Blockchain validators were anything other than victims, but the thought exercise is pretty easy to follow.<\/p>\n To become a validator on many decentralized blockchains, all you have to do is set up a node \u2014 a computer running a copy of the blockchain \u2014 and put up a stake.<\/p>\n Generally, it\u2019s not really that much money \u2014 in the five figures range \u2014 worth of the blockchain\u2019s native token. If you set up enough nodes, you can overwhelm the \u201cgood\u201d nodes.<\/p>\n It\u2019s not quite that simple, of course. For one thing, staking generally involves getting lots of token holders to \u201cdelegate\u201d their tokens to the staker in exchange for a cut of the rewards. While randomly chosen to validate any one block, validators are selected in proportion to the size of their stake \u2014 someone with 5% of the total amount staked will be chosen to validate 5% of the new blocks.<\/p>\n Other Options, Other Problems<\/strong><\/p>\n An alternative is delegated proof of stake (DPoS), in which token-holders vote on a set number of delegates, with the top vote-holders becoming the validators. If that sounds better, it isn\u2019t.<\/p>\n
![\"\"](\"https:\/\/securecdn.pymnts.com\/wp-content\/uploads\/2018\/11\/PYMNTS-Study-April-2022.jpg\")