Subscriber OnlyTechnology

Time has come for better cryptocurrency regulation

QuadrigaCX collapse and the Sky Mavis theft raise serious security issues

Sky Mavis reported the loss of $650 million (€590 million) of its cryptocurrencies held on behalf of its players.

Chris Horn's face
Chris Horn
Thu Apr 21 2022 - 05:09

The documentary Trust No One was released by Netflix recently. It tells the true story of a Canadian start-up, QuadrigaCX, which offered currency exchange services into and from cryptocurrencies, and especially with the Canadian dollar.

It was co-founded in 2013 by Gerald Cotten and Omar Dhanani (now Michael Patryn). Dhanani/Patryn left the company in 2016, leaving Cotten as the sole director. The company grew fast, from trading about 7 million Canadian dollars (€5 million) of bitcoin in 2014, to 1.2 billion Canadian dollars in 2017.

Then, in January 2019, Cotten’s widow announced his premature death arising from complications from Crohn’s disease a month earlier, while volunteering in an Indian orphanage.

At the time, about 250 million Canadian dollars was reputedly held in cryptocurrency on behalf of some 115,000 customers in electronic wallets on Cotten’s laptop and to which only the deceased had held the passwords.

READ MORE

However, crypto analysts subsequently noted that there was no evidence on the public blockchain ledger of these sums, and that apparently the monies may have been moved elsewhere.

Rumours and hypotheses to this day surround the reported death of Cotten, the collapse of the exchange and the losses involved.

Last week also saw to date the largest ever theft of cryptocurrency. A Vietnamese online gaming company Sky Mavis reported the loss of $650 million (€590 million) of its cryptocurrencies held on behalf of its players.

Ironically, the theft occurred due to weaknesses in the security of the system as Sky Mavis attempted to dramatically reduce the energy requirements and latencies required by traditional cryptocurrency infrastructures.

Development of Sky Mavis’s game, Axie Infinity, started in 2017 and it has since become very popular, particularly in the Philippines. The founders observe that traditional online games offer little financial incentives to their players, with the game revenues shared only between the game publishers and as distribution fees by the app store providers.

Axie Infinity instead offers a “play to earn” model in which players can earn considerable sums over time from property rights over digital assets encoded in the game. If you spend money in such a game, it is an investment from which you may make real money in the future – so much so, that a “leisure economy” can develop, which provides a living income to skilled participants, as has happened for some Axie Infinity players in the Philippines.

Axie Infinity is an online pet universe, in which you can own, breed and trade virtual pets, called “axies”. To play the game, you must first purchase at least three axies from the official online axie marketplace – not unlike buying race horses at auction.

Currently, it costs about $1,000 to purchase your initial collection. Because of the expense involved, sometimes syndicates are formed (again, not unlike horse ownership). Axie pets have a large variety of characteristics such as category (aquatic, bird, reptile etc), body parts and colour patterns, breeding history and potential.

Technical challenge

Axies can and often do battle with each other, with rewards going to the victors, but with the defeated never dying. Currently, there is an axie population of several million, with more being bred although an individual axie can only be bred up to seven times.

Players can regularly cash out their cryptocurency earnings as they wish from the game back into fiat currency (a government-issued currency). Sky Mavis owns only about 20 per cent of the value of the cryptocurrencies of the game, with the remainder directly owned by its players.

The technical challenge faced by Sky Mavis in building the financial underpinning of the game was how to implement a high volume, low latency rate for the potentially thousands of individual transactions made each second as the game is played.

Furthermore, traditional cryptocurrencies use inexcusable amounts of energy and suffer long transaction latencies, often, many minutes. The solution is to use a “side-chain” which is pegged to the main Ethereum blockchain adopted for Axie Infinity.

Ethereum, and other public blockchains, use a large number of machines under varied ownership worldwide to authorise individual transactions, which greatly diminishes the opportunity for a nefarious actor to be able to take control.

On the downside, this large number of validators impacts the transaction performance of public blockchains. For the Axie Infinity side chain, Sky Mavis authorised just nine validators, of which at least any five are needed to confirm each game transaction.

The inevitable happened. Under pressure to cater for the accelerating transaction demands from the growing popularity of the game, last December Sky Mavis temporarily reduced its security procedures. The transaction volume surge was successfully managed, but Sky Mavis then forgot to reset its security procedures afterwards.

During March some third party – no one and no organisation has yet owned up – gained access to more than five of the validators, and stole over $500 billion worth of cryptocurrency assets. Almost as bad, it took Sky Mavis six days to discover the event.

Cryptocurrency transactions are irreversible, so it is difficult to retrieve stolen assets. While cryptocurrency opens up the possibility of entirely new genres of activity, such as leisure economies, events like the QuadrigaCX collapse and the Sky Mavis theft only add further pressure for international regulation of cryptocurrency infrastructures and operating procedures.

LATEST STORIES