The development of blockchain technologies is not all lavender and roses… In the last year, the world has experienced three major side chain hacks, the total sum of which exceeds $1.5 Billion. Even though several precautions are adopted to minimize the adverse consequences, the way things are going, people’s stance toward side chains will probably change soon. This article will briefly examine what side chain means for the blockchain ecosystem, touch on the recent hacks shaping the future (namely Poly, Wormhole, and Ronin Networks), and finally analyze the key takeaways to be drawn from such hacks.
What is a Side Chain?
In general terms, a side chain is a separate blockchain network, running in parallel with a primary blockchain (parent blockchain or mainnet) through a two-way bridge/link amongst themselves.1 With the help of such a mechanism, several blockchains can constitute a global decentralized network while preserving their independence and having their own rules, functionalities, and protocols. Furthermore, this allows blockchains to improve their security and privacy and minimize the need for additional trust in order to operate the network.2
The main objective of the side chains is to facilitate the transactions between the blockchains with less cost and time, and encourage current blockchains to scale and become more operatable. In this regard, a two-way link and smart contracts are the main elements in the operation of side chains.
So, how do side chains work? Interestingly enough, the actual transfer of digital assets between the mainnet and secondary chain never happens, and it is all imaginary. When a user requests to send a digital asset to an output address, such digital assets are locked on the current blockchain. At the same time, an equivalent amount is released on the other blockchain, following the transaction is validated by smart contracts. At this stage, "validators" play a crucial role in confirming cross-chain transactions and detecting fraudulent processes.
Here is one of the good illustrations that summarize operating principles of the side chains:
The novelty of side chains emerges from enabling digital assets (including tokens and coins) to move freely between the blockchains. On the other hand, they have numerous drawbacks to consider before establishing and operating one.
Recent Hacks Shaping the Future of Side Chains
- Poly Network
Poly Network is a DeFi (decentralized finance) platform established to ensure interoperability between various blockchains, including Bitcoin, Ethereum, Ontology, and Binance Smart Chain. It facilitates peer-to-peer transactions by allowing users to transfer or swap tokens across different blockchains.
In August 2021, a hacker found a vulnerability in the contract calls of Poly Network3 and the world is shocked by the largest DeFi hack that occurred to date, amounting to $611 Million stolen from three different blockchains: Ethereum, Binance Chain, and Polygon.
Following the relevant attack, Poly Network confirmed the attack via Twitter and published the hacker’s wallet addresses to ask all miners and exchanges to blacklist relevant addresses as well as requesting the hacker to return the money by a letter starting with "Dear Hacker." Surprisingly, they also offered the hacker “Mr. White Hat” a $500,000 prize for detecting such a vulnerability in their network and the opportunity to become their chief security adviser, which undoubtedly got the public's adverse reaction.
Meanwhile, the hacker requested a “multi-sig wallet” to return the money stolen and kept his promise by sending all the amount (less $500,000) progressively.
Wormhole, a cross-chain Ethereum and Solana bridge, also experienced an attack in the amount of $320 million in early February 2022. However, Jump Crypto, the holding company that published the relevant bridge, replenished all the stolen funds in cash and suppressed all public discomfort.
- Ronin Network
Ronin Network is a custom-built side chain based on Ethereum and powers one of the most popular NFT play-to-earn games, “Axie Infinity," which is developed by a Vietnamese company, Sky Mavis.
Since the popularity of Axie Infinity was rising, Sky Mavis has launched Ronin Network to provide cheaper and faster transactions necessary to function and scale play-to-earn games. Ronin Network is connected to Ethereum by a bridge, whereby tokens on one chain are tied up in a smart contract while proxies move freely on the other.4
However, on 29 March 2022, the Ronin Network announced that 173,600 Ethereum and $25.5 Million USDC (corresponding to $622 Million in total) was drained from the bridge connecting Ronin Network to Ethereum mainnet in two transactions. Even though said heist occurred on 23 March 2022, the Ronin team could figure out this situation six days later, only when a user reported that he could not withdraw 5,000 ETH from the bridge.
The reason lying behind the hackers’ success was the weak validator structure provided for the Ronin bridge. As briefly explained above, validators play a significant role in security of the side chains. On the other hand, Ronin Network had only 9 validator nodes on the date of the attack, and 5 out of 9 nodes were sufficient to verify whether any deposit or withdrawal request is legitimate. So, anyone controlling the majority of the validators could approve any fake transactions. Since 4 nodes were operated directly by the same entity, Sky Mavis, the hacker could control all 4 nodes by accessing Sky Mavis’ systems and relevant private keys and needed only one more validator to manage the whole network and realize the heist.
The hackers could obtain the last validator based on the arrangement between Sky Mavis and the Axie DAO in November 2021. Due to an immense user load, Sky Mavis requested help from Axie DAO to distribute free transactions and was allowlisted to sign several transactions on its behalf. Even though such practice was discontinued in December 2021, the access was not revoked until the recent security breach. Therefore, the hackers also obtained the last signature of the Axie DAO's validator by using the gas-free RPC and drained the bridge silently.5
Following the breach, Sky Mavis adopted several actions, including but not limited to halting Ronin bridge and Katana DEX6, increasing the validator number (expected to rise up to 21 validators in the near future)7, moving the validator threshold (10 out of 11 at the moment), migrating nodes to a new infrastructure, and working with various third parties (e.g., law enforcement officials and investors) to compensate for any damage.
In the last week, Sky Mavis has also announced that they are on-boarding Nansen, Delphi Digital, Stable Node, Animoca Brands, and Dialectic to their validator node pool and would like to evolve current source code to improve security and decentralization (by assigning withdrawal limits and enabling more governance functions). Furthermore, they raised $150,000 from the round led by Binance, with participation from Animoca Brands, a16z, Dialectic, Paradigm in order to reimburse the users affected by the heist.8 Sky Mavis and Axie's balance sheet will be used to cover the remaining amount.
Sky Mavis is also planning to adopt the circuit breaker method, which will help to monitor whether any user tries to withdraw a massive amount from the network. In such a case, the bridge will be shut down until the validation is completed.9
Key Takeaways from the Recent Side Chain Hacks
The foregoing side chain attacks, which all occurred in the last year, are great indicators of side chain mechanisms’ vulnerability against any attack. Even though moving from main blockchain networks to side chains enables companies to accommodate more transactions faster and cheaper, they inevitably make the network more centralized and, thus, subject to system failures, attacks, or hacks.
As the founder of Ethereum, Vitalik Buterin, also touched on this issue in one of his posts, the future of crypto may lie behind functioning multi-chains well; however, it is unlikely the side chains will share the same faith since transferring assets across the chains will never be as secure as making transactions within individual blockchains.10
At this point, the importance of “trustlessness” also stands out. For instance, Bitcoin ensures trustlessness through distributing the trust between sector participants. On the other hand, side chains (as we can see from the Ronin case) may be authenticated by a handful of validators, so they are neither decentralized nor trustless.
It wouldn’t be wrong to say that we will see lots of such attacks in the near future. Nevertheless, recent attacks steered us to re-evaluate the importance of truly distributed networks. Therefore, the publisher companies should adopt various measures to strengthen the network’s security and make the side chain more decentralized and trustless as much as possible, as well as informing users of any potential risks associated with such mechanisms.
- https://www.coindesk.com/learn/an-introduction-to-sidechains/ (Accessed on 12/04/2022).
- https://coinmarketcap.com/alexandria/glossary/side-chain (Accessed on 12/04/2022).
- https://decrypt.co/93874/biggest-defi-hacks-heists (Accessed on 12/04/2022).
- https://www.coindesk.com/business/2022/04/08/axie-infinity-builder-takes-full-responsibility-for-625m-ronin-hack-exec-says/ (Accessed on 12/04/2022).
- https://roninblockchain.substack.com/p/community-alert-ronin-validators?s=w (Accessed on 12/04/2022).
- They will continue the operations once the security upgrades and internal audits are completed. Sky Mavis foresees that this may take several weeks. https://roninblockchain.substack.com/p/community-alert-ronin-validators?s=w (Accessed on 12/04/2022).
- The company also provided an application form in the newsletter for validators with a high degree of alignment and technical ability (Accessed on 12/04/2022).
- a16z, Paradigm, and Accel were also among the companies that participated in Sky Mavis' Series B fund raise in October 2021.
- https://vpsfix.com/17799/all-you-need-to-know-about-axie-infinitys-ronin-bridge-hack/ (Accessed on 12/04/2022).
- https://www.coindesk.com/layer2/2022/04/05/ronin-attack-shows-cross-chain-crypto-is-a-bridge-too-far/ (Accessed on 12/04/2022).