Crypto news seeped back into mainstream headlines last week with the disclosure of a $624 million heist from Axie Infinity’s Ronin Network. The attack targeted the Ronin Bridge, which enables users to pass funds between the Ronin network and Ethereum. To some in the crypto world, the Ronin attack was evidence that the future of crypto, even if it is to be “multichain,” is unlikely to be “cross-chain.” With teams fleeing Ethereum for more centralized blockchains that are faster and cheaper, the Ronin attack also served as a reminder of decentralization’s importance. Ronin is a sidechain, or parallel network, to Ethereum. Sky Mavis, the company behind the wildly popular play-to-earn game Axie Infinity, created Ronin in 2020 after realizing Ethereum’s base layer was too slow and expensive to handle all the transactions required to power such a game. When you look under the hood, bridges like Ronin’s typically work by locking up cryptocurrency in smart contracts on one chain, and then re-issuing those tokens in “wrapped” form on a destination chain. So for example, if you were to use the Ronin Bridge to move ether (ETH) from Ethereum to Ronin, ETH gets locked up on Ethereum to serve as 1:1 backing for wrapped ether (WETH) issued on Ronin. With so much money locked up in one place, bridges have become popular targets for thieves. The Ronin attacker pulled off March’s exploit by obtaining five of the nine validator keys that are responsible for securing the Ronin network. By holding a majority of the keys, the attacker was able to maliciously withdraw piles of cryptocurrency straight from the Ronin Bridge into a rogue Ethereum wallet. Once the full extent of the Ronin attack became public, it quickly took its throne atop the infamous Rekt leaderboard, which started ranking attacks on DeFi protocols in 2020 in terms of money lost. Ronin was not the first, nor is it likely to be the last, crypto bridge looted for vast sums of cryptocurrency. Joining Ronin in the second and third slots of Rekt’s leaderboard are two more attacks on crypto bridges. In third place is February’s $311 million exploit of the Wormhole bridge. And in second place is the August 2021 attack on the Poly Network bridge, where a hacker famously stole $611 million only to give it all back. Stay in your chain With yet another crypto bridge getting exploited for hundreds of millions of dollars, many in the crypto community have quipped that the Ronin exploit is further evidence that “cross-chain” crypto is doomed to fail. Some members of the Ethereum community have pointed to the words of Ethereum founder Vitalik Buterin, who described his feelings on the limits of cross-chain bridges in a January Reddit post. “The fundamental security limits of bridges are actually a key reason why, while I am optimistic about a multi-chain blockchain ecosystem … I am pessimistic about cross-chain applications,” Buterin wrote. Sending assets across cross-chain bridges will never carry the same security guarantees as transacting within individual blockchain ecosystems, he explained in the 900-word post. Much of Buterin’s critique of cross-chain bridges stems from the fact that they are particularly vulnerable to 51% attacks like the one that afflicted the Ronin network. If a bridge is attacked on one blockchain and drained of funds, users on the other end of the bridge – on a totally different blockchain – are also affected, since they will be left holding tokens that are no longer backed by anything. “If there are 100 chains, then there will end up being dapps with many interdependencies between those chains, and 51% attacking even one chain would create a systemic contagion that threatens the economy of that entire ecosystem,” Buterin wrote. Sky Mavis tried to scale up its ability to operate on Ethereum by building out a sidechain (Ronin). But scaling a layer 1 blockchain via a sidechain – which will always require a bridge – will arguably never be as safe as scaling via solutions like rollups, which inherit their security guarantees from a layer 1 chain. The value of decentralization In addition to highlighting the shortcomings of cross-chain bridges, the Ronin attack validated another core thesis among Ethereum devotees – one which is shared by bitcoiners and crypto-idealists in general – which is that true decentralization is vitally important to the success of any crypto ecosystem. Decentralization often gets lumped in with the politics and ideology of crypto’s Twitterati – framed as a promise to pull power away from institutions and middlemen and give it back to the little guy. While appealing to some, arguments around the philosophical virtues of decentralization are a turn-off to those who think blockchains are just as corruptible as any other technology. Moreover, more and more crypto projects are emerging that throw decentralization to the wind, believing (perhaps rightfully) that today’s users don’t care about decentralization so long as they can transact quickly and cheaply – a shortcoming of Ethereum as it currently exists. The Ronin attack reminds us that decentralization, regardless of what users might think, is of practical security importance for big-money applications. Sky Mavis moved from Ethereum to Ronin to speed transactions and cut costs. It achieved these goals (Ronin processed over 500% more transactions than Ethereum at its peak), but its centralized proof-of-authority model, where just nine validators were in charge of securing the whole network, left it vulnerable to attack. Ethereum has major scalability shortcomings, and its slow pace migrating to Ethereum 2.0 has left room for more centralized chains like Ronin to emerge out of sheer necessity. Nevertheless, as “the Merge” inches closer, last month’s Ronin attack showed why the hard work of decentralization at scale remains important. |