On March 29, 2022, the Ronin Network — a blockchain bridge built to support the wildly popular play-to-earn game Axie Infinity — disclosed that 173,600 ETH and 25.5 million USDC (approximately $625 million at the time) had been stolen from the bridge. The theft had actually occurred on March 23 but was not detected until six days later, when a user attempted to withdraw 5,000 ETH and found the bridge did not have sufficient funds.
The FBI later attributed the attack to the Lazarus Group, a hacking operation linked to the North Korean government. It was the largest cryptocurrency theft in history at that point, and it exposed critical weaknesses in blockchain bridge architecture.
How Blockchain Bridges Work (and Break)
A blockchain bridge connects two different blockchains, allowing users to transfer assets between them. The Ronin bridge connected the Ethereum mainnet to the Ronin sidechain, which was built specifically for Axie Infinity to reduce transaction costs.
When a user deposited ETH on the Ethereum side, the bridge locked those funds in a smart contract and minted equivalent tokens on the Ronin side. When they wanted to withdraw, the bridge burned the Ronin-side tokens and released the ETH from the smart contract.
The security of this entire system depended on the validators — a set of nodes that had to approve bridge transactions. Ronin used a proof-of-authority consensus model with nine validators. Any withdrawal from the bridge required signatures from five of the nine validators (a 5-of-9 multisig).
The attacker compromised five validators.
The Attack
Sky Mavis, the company behind Axie Infinity and the Ronin Network, operated four of the nine validator nodes. This was already a centralization concern — a single entity controlling four of nine validators in a system that requires five signatures.
The fifth compromised validator belonged to the Axie DAO (decentralized autonomous organization). In November 2021, Sky Mavis had asked the Axie DAO to help process transactions during a period of high demand. The DAO granted Sky Mavis temporary permission to sign transactions on its behalf. The problem: this permission was never revoked.
So when the attackers compromised Sky Mavis's infrastructure, they gained control of four Sky Mavis validators and could also sign using the Axie DAO validator — giving them the five signatures needed to authorize any withdrawal from the bridge.
The attackers used these five compromised keys to approve two withdrawal transactions:
- 173,600 ETH
- 25,500,000 USDC
The total: approximately $625 million.
The Six-Day Detection Gap
Perhaps the most alarming aspect of the hack was that it went undetected for six days. The bridge processed two massive unauthorized withdrawals, draining over half a billion dollars, and nobody noticed until a user tried to make a legitimate withdrawal and the funds were not there.
This detection gap reveals several failures:
- No real-time monitoring of bridge balances. A system holding hundreds of millions of dollars did not have alerts for unusual withdrawals.
- No anomaly detection on validator signatures. Five validators simultaneously signing a massive withdrawal should have triggered an alert.
- No daily reconciliation. Comparing bridge balances between the Ethereum and Ronin sides would have immediately revealed the discrepancy.
North Korean Attribution
The FBI attributed the hack to the Lazarus Group, a North Korean state-sponsored hacking operation that has been responsible for some of the most significant cyber thefts in history, including the $81 million Bangladesh Bank heist in 2016.
North Korea uses cryptocurrency theft to fund its nuclear weapons and ballistic missile programs. The UN has estimated that North Korean cyber operations have generated over $2 billion for the regime. The Ronin hack alone — at $625 million — represented a significant fraction of North Korea's annual GDP.
The stolen funds were laundered through Tornado Cash and other mixing services. In August 2022, the US Treasury sanctioned Tornado Cash, partly because of its use in laundering proceeds from the Ronin hack.
The Bridge Problem
The Ronin hack was not an isolated incident. Blockchain bridges have become the most targeted component of the cryptocurrency ecosystem:
- Wormhole (February 2022) — $320 million stolen through a signature verification bypass
- Ronin (March 2022) — $625 million stolen through compromised validator keys
- Harmony Horizon (June 2022) — $100 million stolen through compromised multisig keys
- Nomad (August 2022) — $190 million stolen through a smart contract vulnerability
The total losses from bridge hacks in 2022 alone exceeded $1.5 billion. Bridges are high-value targets because they hold large pools of locked assets and because their security models often rely on a small number of validators or keys.
The fundamental problem is that bridges translate trust between two different blockchains. This translation layer introduces complexity, and complexity introduces vulnerabilities. Each bridge must make assumptions about the security of both chains and the integrity of its own validator set.
Lessons
- Centralization in "decentralized" systems is a critical risk. A single entity controlling four of nine validators in a multisig defeats the purpose of multisig. True distribution of signing authority is essential.
- Temporary permissions become permanent without active revocation. The Axie DAO's temporary grant to Sky Mavis was never revoked, and the attackers exploited this stale permission. Access reviews and automatic permission expiration are not optional.
- Monitoring must match the value at risk. A system holding $625 million without real-time balance monitoring and anomaly detection is negligent.
- Nation-states are active participants in cryptocurrency theft. The threat model for high-value DeFi systems must include state-sponsored attackers with significant resources and persistence.
How Safeguard.sh Helps
Safeguard.sh provides the continuous monitoring and access governance that prevents the kind of permission sprawl and detection failures that enabled the Ronin hack. Our platform tracks access permissions across your systems, flags stale or overly broad access grants, and enforces policies requiring regular access reviews. By monitoring your security posture in real time and alerting on anomalies, Safeguard.sh helps you detect unauthorized activity in minutes rather than days — the difference between a contained incident and a $625 million loss.