Ronin Bridge (2022)

The largest crypto theft in history at the time, $625M, from the Axie Infinity bridge between Ethereum and the Ronin sidechain. Attributed by US authorities to the Lazarus Group (North Korea). Notable because the attack was not a smart-contract bug — it was a multisig key compromise enabled by a single attacker compromising five of nine validator nodes.

Timeline

  • November 2021: Sky Mavis temporarily expanded their validators' allowlist to help Axie DAO process a backlog of transactions during peak demand. This change was never reverted.
  • March 23, 2022: Attacker drained 173,600 ETH and 25.5M USDC ($625M) via two withdrawal transactions.
  • March 29, 2022: Sky Mavis publicly disclosed the breach (six days after).
  • April 14, 2022: US Treasury attributed the attack to Lazarus Group.

Root Cause

The Ronin bridge required 5 of 9 validator signatures to authorize withdrawals. The 9 validators included:

  • 4 operated by Sky Mavis directly.
  • 1 operated by Axie DAO (which Sky Mavis had been allowlisted by months earlier to act on its behalf during a backlog).
  • 4 operated by other parties.

The attacker compromised the 4 Sky Mavis validators via spear-phishing (a fake job offer with malware-laced PDF). They then used the previously-granted Axie DAO allowlist to act as the 5th signer.

5 of 9 was met. Withdrawals authorized. Funds gone.

Exploit Path

Off-chain:

  1. Spear-phishing campaign targeting Sky Mavis employees.
  2. Malicious PDF delivered via fake job interview.
  3. Malware established remote access, then escalated to access the validator nodes.
  4. Private keys for 4 Sky Mavis validators compromised.

On-chain:

  1. With 4 keys compromised, attacker needed 1 more for the 5-of-9 threshold.
  2. The Axie DAO had previously granted Sky Mavis permission to sign on its behalf (a permission set during a 2021 traffic spike and never revoked).
  3. Attacker used the Axie DAO validator to fulfill the 5th signature.
  4. Submitted two withdrawal transactions (one for ETH, one for USDC) signed by the 5 controlled validators.
  5. The bridge's on-chain verification accepted the signatures; funds released to the attacker.

What an Audit Should Have Caught

The smart contract was correct. A traditional code audit would have found nothing.

But a security audit should include the trust assumptions:

  1. Threshold appropriateness. 5-of-9 is a low threshold for a bridge holding $625M. Higher-value bridges have moved to 13-of-19, 14-of-22, or larger.

  2. Centralized validator dominance. 4 of 9 validators operated by one party (Sky Mavis) means a single-party compromise gets within 1 of the threshold. The validator set should be designed so no single party controls enough nodes to be close to the threshold.

  3. The persistent allowlist. The Axie DAO's permission to be signed-for by Sky Mavis was a temporary expedient that became permanent. Audit should have flagged any privileges granted "temporarily" that lack auto-expiry.

  4. No timelock on withdrawals. A $600M withdrawal happened in a single transaction. A bridge with on-chain timelocked withdrawals (e.g., 24 hours for large amounts) would have given Sky Mavis a chance to intervene.

  5. No anomaly detection. Six days passed before Sky Mavis noticed the drain. A bridge holding this much value should have automated monitoring with alerts.

These are operational-security findings, not pure-code findings. The 2022 era of audits often considered them out of scope. The 2026 standard includes them — any audit that omits the operational threat model is incomplete.

Lessons

  1. Multisig is as secure as the multisig's worst-secured key. Spreading keys across multiple devices held by multiple people is not sufficient if all the people are at the same company, on the same network, with similar opsec.

  2. Threshold and party-diversity must scale with value. A $10M bridge can use a 2-of-3 multisig. A $1B bridge needs 10+ diverse validators with no single party controlling more than a few.

  3. "Temporary" permissions become permanent. Any access grant should have an auto-expiry, not rely on someone remembering to revoke.

  4. Timelocked / rate-limited withdrawals are cheap insurance. Even a 1-hour delay on withdrawals above a threshold would have given time for response.

  5. Monitoring is part of security. Off-chain alerting on bridge state changes, with paging when anomalies are detected, is necessary for high-value contracts. Audits should ask: "what is monitored, by whom, with what response time?"

  6. Nation-state attackers are part of the threat model. The Lazarus Group has been linked to crypto thefts totaling billions of dollars. High-value protocols are targets. Phishing and social engineering work — multiple incidents now have similar provenance.

The Ronin incident shifted industry practice toward larger, more diverse validator sets and toward including operational security in audit scope. Bridges built since 2022 are generally better-protected, but the underlying lesson — that off-chain operational security is part of on-chain security — applies far beyond bridges.