← Back to archive
Hack·resolved

Ronin Bridge Hack — March 2022

A North Korean state actor compromised 5 of 9 validator nodes on the Ronin sidechain, draining $625 million in ETH and USDC.

Ronin was an Ethereum-compatible sidechain built by Sky Mavis to support the Axie Infinity game, which had attracted millions of users during 2021. The network used Proof-of-Authority with 9 validators, requiring 5 of 9 signatures to authorise withdrawals from the Ronin Bridge to Ethereum.

Four of those validator keys were held by Sky Mavis. A fifth was operated by the Axie DAO. In November 2021, Sky Mavis had asked the Axie DAO to help process a backlog of user transactions; the DAO granted Sky Mavis permission to sign on its behalf. This permission was never revoked.

The attacker compromised a senior Sky Mavis engineer through a fake job offer delivered via LinkedIn. The malicious PDF used in the interview process gave the attacker control of the engineer's workstation and access to four validator keys. Combined with the lingering Axie DAO delegation, the attacker controlled five of nine signers — the minimum needed to authorise withdrawals.

Two transactions on 23 March 2022 transferred 173,600 ETH and 25.5M USDC out of the Ronin Bridge. The theft was not detected for six days, until a user reported being unable to withdraw 5,000 ETH.

Sky Mavis and its investors raised $150 million to reimburse affected users. The bridge resumed operation in June 2022 with stricter validation.

Timeline

  1. Axie DAO delegates signing to Sky Mavis (later forgotten)

    To process a backlog of user transactions, Axie DAO grants Sky Mavis permission to sign on its behalf. The permission is never revoked.

  2. Two withdrawal transactions drain the bridge

    Attacker submits two transactions transferring 173,600 ETH and 25.5M USDC out of the Ronin Bridge contracts.

  3. Theft detected when user cannot withdraw

    A user reports being unable to withdraw 5,000 ETH. Sky Mavis investigates and discovers the bridge has been drained for six days.

  4. Sky Mavis discloses the hack

    Ronin announces the exploit publicly and halts the bridge. The Ronin token RON falls ~25% on the news.

  5. Sky Mavis closes $150M funding round

    Binance leads a $150M raise to reimburse affected users. Investors include Andreessen Horowitz, Animoca Brands and Paradigm.

  6. US Treasury attributes attack to Lazarus Group

    OFAC adds the attacker's wallet to its Specially Designated Nationals list and identifies North Korea's Lazarus Group as the perpetrator.

  7. Ronin Bridge resumes operation

    Bridge reopens after a security overhaul that expands the validator set and introduces additional withdrawal monitoring.

Who was involved

Structural failures identified

Sources

  1. Treasury sanctions North Korean money launderer, US Department of the Treasury — OFAC attribution to Lazarus Group
  2. Community Alert: Ronin Validators Compromised, Sky Mavis (Ronin) — Official disclosure of the hack