Last Friday’s newsletter got a lot of comments both on my actual blog and on FB, and I wanted to highlight a few of them here. If you missed the original discussion, I interviewed three Axie players who had recently lost their axies in similar hacking incidents, and asked the community for help about how it possibly happened. (If you prefer to read it in Tagalog, here’s Bitpinas’ official translation.)
It looks like the prevailing theory is that the victims installed a fake Ronin wallet from RoninWallet.net or Ronin-wallet.com, neither of which are official websites from SkyMavis. (This video from Ruel D outlines how it happened to him.) When users went to the website to setup their wallet for the first time, their secret phrases were instantly compromised. Both Roninwallet.net and Ronin-wallet.com domain names were registered within four days of each other, and both websites are now down. We can easily find out through a lookup service that they were registered via Namecheap, and that the registrant paid the extra fee to hide his/her contact information. The current status of “clientHold” means that there’s an ongoing investigation regarding the domain name, and I surmise that this is a result of the hacks originating from it.
Another theory was that there was a vulnerability in the Kiwi mobile browser (explained in this comment by Markku S), which is a popular browser amongst Axie players who play primarily on their mobile phones. Kiwi is unique because it’s the only mobile browser that is compatible with Google Chrome extensions. (Google’s official mobile version of Chrome is still incompatible with its own network of extensions.) Since Ronin is only available as a Chrome extension, this is the only option available for players who don’t have desktops or laptops. This theory is a lot more esoteric and requires several conditions to be met before you could get hacked. I should also mention that the Kiwi browser itself is NOT broken, it just happens to be a little less secure than the current latest version of Chrome. In terms of likely causes, I still think that it’s far easier to simply hijack the Ronin setup process through the fake websites above. All the hacker needs to do is add a step that asks the user to type in their secret phrase for confirmation purposes, and they’re done.
One other possibility that needs to be highlighted is the “sneaky seller” problem, as mentioned by JB. If you’re a total beginner and are looking for a good deal on your first axie team, it’s very likely that you’ll be on Facebook shopping for cheap buys. If a helpful seller offers to assist you in setting up your Ronin wallet, you may not know that showing them your secret phrase is tantamount to giving them back the axies they just sold you. Once they’ve saved your secret phrase, all they need to do is wait for a few days for you to earn some SLP, then they’ll transfer the axies out of your wallet and sell them again. This scam is a little harder to pull off at scale because it’s “high touch,” meaning the scammer needs to spend a lot of time talking to each of their potential victims. We see this a lot with ecommerce scams on Lazada or Shopee, where the merchant pretends that the victim’s purchased goods are stuck in customs, and they need an additional X thousand pesos in order to get it out. And then of course, there’s a holding fee, a clearance fee, and a final delivery fee as well. When the customer finally stops paying and tries to report them to Lazada, the merchant storefront mysteriously disappears from the platform.
There were many other theories, but the ones mentioned above highlight three different vectors of attack: website, browser, and social engineering. What they all have in common though is that they all got the victims to share their secret phrases. I don’t believe there’s a security vulnerability in the Ronin wallet itself (assuming you installed the real one). The community needs to work together to help educate its newbies, and I’d love to contribute to any grassroots efforts that will help teach people how to keep themselves safe. There’s no point playing-to-earn if you can’t keep your earnings and assets secure.
The crypto markets are looking very strong this morning, with $BTC attempting another run at $50k and $ADA at an ATH of $2.70. Cardano’s jawdropping run-up in the last week has allowed it to overtake $BNB as the third largest coin by marketcap. Why is it pumping so hard? They’re finally adding smart-contract functionality on September 12th. Unlike its chief rival Ethereum, which had smart contracts from the beginning, Cardano opted to work on its Proof-of-stake consensus algorithm first, and then add smart contracts later. If all goes well this September, it’ll have successfully combined Proof-of-stake with smart contract capabilities before Ethereum does. What does that mean for $ADA? Well, over the next year, you will likely see a flurry of startups recreating the same DeFi ecosystems that we already have on Ethereum and Binance Smart Chain.
My Axie journey as a player has been going quite well these last 10 days. On average I make about 200 SLP per day, and I’m closing in on my first ever SLP claim very soon. On Sunday, I made 300 SLP with a really lopsided 67% win-rate and an ending MMR of 1676. In case you missed it, I made this silly video detailing my daily grind.
Catch you all in two days, cryptofam! Stay safe out there!
Boss what is your Team? And ano pinaka max na Rank na abot mo to get that 300SLP
Axie win and a great burger go together!!!