On March 23, 2022, an attacker drained roughly 173,600 ETH and 25.5M USDC from the Ronin Bridge in two transactions. Ronin is the sidechain that powers Axie Infinity; at the time it relied on a 5-of-9 validator set to authorize withdrawals from the bridge.
What happened
The attacker obtained five of the nine validator keys controlling the Ronin bridge. Four came from a compromise at Sky Mavis itself; the fifth was an Axie DAO key that Sky Mavis had been granted temporary signing rights over to handle a transaction backlog in late 2021 — and that grant was never revoked.
With five signatures the attacker could mint forged withdrawal proofs and pull funds straight out of the bridge contract. The transactions executed on March 23 but were not discovered until March 29, when a user complained that they could not withdraw 5,000 ETH.
Aftermath
- The U.S. Treasury Department attributed the hack to the Lazarus Group, a unit of North Korea's state-sponsored Reconnaissance General Bureau.
- Sky Mavis raised a $150M round led by Binance to make affected users whole. The bridge was rebuilt with a larger validator set and a withdrawal-limit circuit breaker.
- A portion of the stolen funds was frozen by exchanges and recovered. The majority was laundered through Tornado Cash and cross-chain bridges.
Why it matters
Ronin demonstrated that bridges secured by a small multi-sig are effectively secured by their key-management hygiene, not by cryptography. Several later bridge designs (LayerZero, CCIP, Across) moved towards committee designs with explicit slashing or away from signature-based attestation entirely.
Sources & on-chain evidence
- [01]roninblockchain.substack.comhttps://roninblockchain.substack.com/p/community-alert-ronin-validators
- [02]home.treasury.govhttps://home.treasury.gov/news/press-releases/jy0731
- 0xc28fad5e8d5e0ce6a2eaf67b6687be5d58113e16be590824d6cfa1a94467d0b7
- 0xed2c72ef1a552ddaec6dd1f5cddf0b59a8f37f82bdda5257d9c7c37db7bb9b08