◇ Stage 1 · Briefing
Ronin Bridge
Ronin (Axie Infinity)Ronin's bridge authorised withdrawals on a 5-of-9 validator signature threshold. Attackers — later attributed to North Korea's Lazarus Group — compromised four Sky Mavis validator keys and obtained a fifth via an Axie DAO gas-free RPC allowlist that was granted during high load and never revoked. With five signatures they forged two withdrawals totalling ~$625M. Nobody noticed for six days. This lab recreates that exact failure: a bare-majority threshold with no cap and no delay.
DateMarch 23, 2022
Impact~$625M (173,600 ETH + 25.5M USDC)
DurationUndetected for 6 days
Attack classBridge security
Timeline
Nov 2021Axie DAO allowlists Sky Mavis to sign on its behalf during load — never revoked.
Mar 23Attacker uses 5 compromised keys to sign two fraudulent withdrawals.
Mar 29A user's stuck 5k ETH withdrawal surfaces the breach — 6 days later.
Apr 2022US Treasury links the theft to the Lazarus Group.
Stage 1 of 5