Ronin Bridge Postmortem

Ronin Network - REKT Post-Mortem

Overview

Approximately $624 million was stolen from the Ronin Network bridge in what became the largest cryptocurrency hack at the time of the incident (March 29, 2022).

What Happened

The Ronin team discovered the breach when a user reported being unable to withdraw 5,000 ETH. The attack had actually occurred six days prior, but went undetected due to insufficient monitoring of critical infrastructure.

Technical Root Cause

Architecture Vulnerability:

Ronin operated as a Proof of Authority sidechain with nine validators, requiring a consensus of five signatures to approve transactions. Sky Mavis controlled four of these validators, creating a dangerous centralization.

Security Gap:

In November 2021, Sky Mavis and the Axie DAO established a gas-free RPC node arrangement, granting the DAO validator signing privileges. Although the arrangement ended the following month, the whitelist access was never revoked.

Attack Vector

The attacker:

1. Compromised Sky Mavis validators to obtain four signatures

2. Leveraged the unrevoked Axie DAO whitelist to obtain the critical fifth signature

3. Authorized two withdrawals:

• 173,600 ETH (tx: 0xc28fad5e8d5e0ce6a2eaf67b6687be5d58113e16be590824d6cfa1a94467d0b7)

• 25.5M USDC (tx: 0xed2c72ef1a552ddaec6dd1f5cddf0b59a8f37f82bdda5257d9c7c37db7bb9b08)

4. Converted USDC to ETH and transferred portions to exchanges

Attacker Wallet: 0x098b716b8aaf21512996dc57eb0615e2383e2f96

Financial Impact

• Stolen: ~$624M

• ETH Drained: 173,600 ETH

• USDC Drained: 25.5M USDC

• Partially Laundered: 6,250 ETH transferred to FTX and Crypto.com

Remediation

Sky Mavis increased the validation threshold to eight out of nine validators to approve transactions. This change was implemented nearly 11 hours before the incident was publicly announced.

Additional Context (from search)

• Sky Mavis blamed social engineering: a fake LinkedIn job offer with a malicious PDF compromised an engineer's machine.

• FBI attributed the attack to Lazarus Group / APT38 (North Korea).

• Sky Mavis raised $150M led by Binance to reimburse users.