← Back to Hack Archive

Ronin Bridge Hack

March 23, 2022$620 millionCross-Chain Bridge ExploitEthereum / Ronin

The Story

On March 23, 2022, hackers compromised five validator nodes of the Ronin Network, the Ethereum sidechain built for the popular blockchain game Axie Infinity. The attack went undetected for nearly a week before a user was unable to withdraw 5,000 ETH, prompting an investigation that uncovered the massive breach.

The attackers stole approximately 173,600 ETH and 25.5 million USDC, with a combined value of around $620 million at the time, making it one of the largest cryptocurrency heists in history. The U.S. government later attributed the hack to the North Korean state-sponsored hacking group Lazarus.

Sky Mavis, the company behind Axie Infinity, secured $150 million in funding to help reimburse affected users and implemented a reimbursement plan, while also redesigning their bridge with enhanced security measures.

Technical Analysis

The Ronin Network operated using a Proof of Authority (PoA) consensus mechanism with nine validator nodes, requiring five signatures to approve transactions. The hackers managed to compromise four Sky Mavis validators and a third-party Axie DAO validator to gain control of the majority needed to authorize malicious withdrawals:

// Simplified version of the vulnerable validation logic
function withdrawERC20(
    address _token, 
    address _to, 
    uint256 _amount
) external override onlyMainchainGateway {
    // Check if the transaction has enough validator signatures
    require(
        validatorContract.checkThreshold(msg.sender),
        "Not enough validator signatures"
    );
    
    // Transfer tokens if validation passes
    IERC20(_token).safeTransfer(_to, _amount);
    
    emit WithdrawnERC20(_token, _to, _amount);
}

The key security failures included:

  1. The validator key threshold (5 out of 9) was too low for the value secured
  2. Four validator keys were accessible from a single point of compromise
  3. The attacker had obtained the private keys through a sophisticated social engineering attack
  4. The bridge's monitoring system failed to detect the unusual withdrawals for nearly a week

Lessons Learned

  1. Cross-chain bridges should implement higher validator thresholds proportional to the assets they secure
  2. Validator keys should be distributed across different security infrastructures with no single point of failure
  3. Automated monitoring systems should flag and potentially pause unusually large transactions
  4. Regular security audits should include penetration testing of social engineering vectors
  5. Emergency response protocols should be in place for rapid reaction to detected breaches