Blockchain has been widely deployed in almost every industry, all of which benefit from blockchain's decentralized, transparent, trustless, immutable, and fully distributed peer-to-peer architecture. Every blockchain project revolves around three core elements: decentralization, security, and scalability depending on its vision and priorities.
Many blockchain projects aiming for global adoption strive to achieve and maximize all three elements simultaneously through their underlying architecture, without compromise. However, the interplay and balance among the three elements make it a challenge to achieve this. The blockchain trilemma, coined by Vitalik Buterin, addresses these challenges and states that two of the three elements of decentralization, scalability, and security are achieved/prioritized at the expense of the others and recognizes that in creating a blockchain that is decentralized, scalable, and secure, tradeoffs are often made.
Decentralization is the core and essence of blockchain, security is a key feature, while scalability is the biggest challenge. Scalability and decentralization are often hindered by security, but security tends to be compromised by any shift in a blockchain network that offers scalability.
Scalability is an essential aspect of any blockchain project, as it determines the ability of the project to handle a higher volume of transactions to achieve mass adoption by reducing settlement time to increase the number of transactions per second (TPS) or throughput of the system.
Due to the opportunity and demand for scaling, third-party blockchains have begun to develop innovative scaling methods such as sidechains, roll-ups, and channels. While these methods encourage most blockchain projects to address the trilemma, the balance between decentralization and security seems to be neglected in most cases.
Ronin Network, an Ethereum-linked sidechain used for the blockchain game Axie Infinity developed by Sky Mavis, is an example of how security and decentralization are set against each other when integrating scaling methods. Axie Infinity is not only an example of the trilemma, but also a project worth examining the priorities and actions of its developers, investors, and users, as well as the perceptions of liability and trust given the outcomes of those actions.
Axie Infinity is a blockchain-based play-to-earn game developed by Sky Mavis and is known for its in-game economy that uses Ethereum-based cryptocurrencies. Due to its massive distribution and popularity around the world, Axie Infinity has seen an immense user rush in February 2021.
With Ethereum having significant scalability shortcomings and with Axie Infinity's increasing popularity, Sky Mavis has felt the need to increase the TPS and launched the Ronin network in February 2021 as an Ethereum-linked sidechain to enable the fast, low-cost transaction throughput needed to scale Axie Infinity.
The Ronin network is being developed as a sidechain that operates independently of the main Ethereum network and has its own consensus mechanism. The Ronin network uses an Ethereum-linked two-way bridge (Ronin Bridge) to connect Ronin to the Ethereum mainnet to reduce friction between users, execute transactions for Axie Infinity, and enable the exchange of digital assets from Axie Infinity players between chains.
The Ronin network has adopted a proof-of-authority consensus model where it relies on a set of trusted validators to process and validate transactions on the network. Along with the multisig system, a majority of these validators, who hold authorized wallets that can be controlled by individuals or institutions, must sign transactions for a transaction or change to be implemented in the smart contract or for a deposit or withdrawal to be recognized.
On March 29, 2022, Sky Mavis reported that there has been a security breach on the Ronin bridge, and validator nodes were compromised resulting in 173,600 ETH and $ 25.5 M worth of USDC stable coins (more than $625 million) drained from the Ronin bridge in two transactions. (1)
According to the official Community Alert, the malicious withdrawals were the result of a hack of the validators' private keys, which were then used to forge withdrawals. The developers further explained that at the time of the hack, Ronin consists of nine validator nodes, five of which must provide their signature in order for a deposit or withdrawal to take place. The hacker managed to gain control of four nodes held by Sky Mavis and used an additional third-party validator operated by Axie DAO, a community-driven organization that supports the Axie Infinity project, to substitute the fifth. Because the attacker had the majority of the validator keys, he was able to maliciously withdraw cryptocurrency directly into a fraudulent Ethereum wallet due to the multisign model of the Ronin Bridge contract.
Although the official Community Alert does not provide details on how the Sky Mavis validators were compromised, it indicates that the attacker gained control of a third-party validator operated by Axie DAO due to an agreement between Sky Mavis and Axie DAO in November 2021. A gas-free RPC node, which allows developers to communicate with servers between two separate chains, was set up to distribute free transactions and reduce costs for users during a period of high network traffic. To do this, Axie DAO had to "whitelist" Sky Mavis by allowing Sky Mavis validators to sign transactions on its behalf so Sky Mavis could quickly authorize transactions to reduce user and network load. Although the agreement was revoked in December 2021, whitelist access was never revoked, allowing the attacker who compromised Sky Mavis validators to use the Axie DAO validator signature required to authorize transactions. (2)
Trust and Liability
Against this backdrop, the exploitation of the Ronin network raised fundamental questions about trust in a trustless network and the distribution of liability in blockchain projects.
Trust is an elusive concept, and while its definition has been the subject of debate among philosophers for centuries, the failure of trust over time has become the starting point for liability. As institutional trust breaks down, the concept of trust transforms into distributed trust, which takes power away from a single source and distributes responsibility among a variety of sources. Trust that once flowed upward to authorities now flows horizontally, in some cases to people and in other cases to programs and code. Blockchain trust is a form of distributed trust that relies on the processes of cognitive risk assessment in incentivizing good behavior and punishing bad behavior. Trust in the blockchain depends on its decentralized, trustless, encrypted, and algorithmic nature. (3)
As Sky Mavis moved the network away from a trustless environment, the network became in need of trust to function, and Sky Mavis derailed trust in the blockchain because of its priorities and subsequent actions;
Sky Mavis' centralized cross-chain bridge solution to the scaling challenge moved the project away from the trustless and decentralized form of security consensus on the Ethereum mainnet. Despite the common pattern of the multisig model requiring signatures to be split across multiple and separate entities, Sky Mavis has preferred to keep four of nine validator nodes in its centralized server. In addition, having a small pool of validators for the consensus of the entire network and reducing the number of instances verifying transactions is a tradeoff in terms of decentralization that requires reducing the difficulty of the network and instead compromises the security of the system.
Sky Mavis' priorities clustered around the urge to maximize TPS while neglecting decentralization, security, and trustlessness. In terms of the trilemma, Sky Mavis abandoned security and decentralization in favor of cost and speed for scalability.
Aside from Sky Mavis' priorities and preferences, which Vitalik Buterin also criticized, it is argued that cross-chain bridges are particularly vulnerable to 51% attacks. Therefore, for projects using cross-chain bridges, a mature process for building sidechains, frameworks for validating updates, security audits, quality checks, setting up dashboards for key metrics and building in triggers when unexpected deltas occur, audits for smart contracts, etc. are a must to ensure the safety of users, their assets, and most importantly, their trust. However, the fact that Sky Mavis did not learn of the security breach until six days after it occurred and after a user complained shows that Sky Mavis did not monitor and strictly follow security measures.
According to the official Community Alert, Sky Mavis takes responsibility, which looks like an implicit admission of his paramount role in Ronin's operation and the security breach. As they move the network away from a trustless environment, they make it vulnerable to attack. Therefore, it could be argued that Sky Mavis should bear much of the responsibility due to its priorities and preferences that trigger the trust failure.
Despite Sky Mavis' failure in various aspects, Sky Mavis has raised $150 million in a "rescue round" led by Binance, with participation from other VCs and current investors such as Animoca Brands, a16z, Dialectic, Paradigm, and Accel. (4) This raises the question of whether the current investors are jointly liable with Sky Mavis for the repayment of the funds involved. Whether or not they share responsibility, it is clear that investors need to do better due diligence before investing.
Although users appear to be victims of the hack, some of the responsibility remains with them. Especially in countries where Axie Infinity has become a revenue model, participants' focus on quick and cheap transactions leads to projects that are not fully decentralized and vulnerable to security breaches due to scaling methods.
While the exploitation of the Ronin network illuminates why and how trust fails, distinction and distribution of liability remain questionable.
While the exploitation of the Ronin network highlights the importance of decentralized scaling as well as building a trustless network for the trust of participants and reinforce distributed liability, it, unfortunately, fails to tackle the blockchain trilemma.