The metaverse has largely avoided major platform exploits. However, bridges to these virtual worlds, like Axie Infinity’s Ronin Bridge, have been hacked, with $600 million stolen in the largest incident. As the metaverse grows and integrates more Web3 sectors, it becomes a more attractive target for hackers. Prioritizing security is crucial for the future of metaverse platforms.
No metaverse has suffered a major exploit in its platform layer so far, but bridges to metaverses have been hacked. This could mostly be attributed to the fact that other sectors of Web3, like DeFi, are far more vulnerable and lucrative to hackers. The single biggest exploit related to the metaverse has been related to the infrastructure layer.
Axie Infinity Ronin Bridge exploit: The Ronin Bridge hack is not only the biggest hack in the metaverse but the biggest by value in the entirety of Web3, with assets worth a whopping $600 million50 siphoned by hackers.
Acknowledging the raging popularity of its play-to-earn game, Axie Infinity, the parent company, Sky Mavis, moved the game onto its own network from Ethereum to make transactions cheaper for players; it was a sidechain of Ethereum called the Ronin network. Players could move their assets in or out from the sidechain to the Ethereum mainnet through the Ronin Bridge.
Axie Infinity soon became the highest revenue-generating DApp, with over $1.5 billion in value locked on the Ronin network at its peak.
On March 23, 2022, an attacker managed to obtain four of the Ronin validator keys, which were held by Sky Mavis centralized servers. The attacker then identified a backdoor in the gasless remote procedure call node and successfully obtained access to five private keys, including four validators of Sky Mavis and one validator operated by Axie DAO. According to the Ronin Bridge design, only five out of nine validator keys are required to recognize a withdrawal or deposit event, which allowed the attacker to validate and drain funds from the bridge.
Following the incident, Binance and a16z led a fresh round of $150 million in funding and insured Axie users of reimbursement, preventing a snowball effect from the crisis.
Since then, various attempts have been made to recover the stolen funds, with a government bureau of Norway, Chaina lysis and the U.S. Federal Bureau of Investigation managing to recover $36 million cumulatively.
Although this exploit was not directly related to metaverse technology itself, it serves as a reminder that as the metaverse evolves and incorporates other Web3 primitives lack of major exploits, the metaverse remains a major target like DeFi, it will also inherit their vulnerabilities. Despite the for social engineering hacks, with Arkose abs, a fraud prevention entity, reporting that metaverse businesses face more bot attacks compared to other sectors.
As adoption increases and more valuable data and assets are stored in the metaverse, it will soon be under threat from major exploits. This is reflected in Metas strategy to attract white hat hackers to hack its R AR headsets and reward them up to $300,000 for finding critical vulnerabilities.
Metaverse platforms must ensure that security is their top priority in the coming years if they want to thrive.
In conclusion, the metaverse, despite its relative insulation from major exploits thus far, is not immune to the vulnerabilities that plague other Web3 sectors. The Axie Infinity Ronin Bridge exploit serves as a stark reminder of this fact. As the metaverse continues to grow in popularity, attracting more users and storing more valuable data and assets, it becomes an increasingly attractive target for hackers. Therefore, it is incumbent upon metaverse platforms to prioritize security in their development strategies. The future success and sustainability of the metaverse hinge on the ability to provide a secure environment for its users.