Axie Infinity Ronin Bridge Hacked For $545 million – Devs Find Out 6 Days Later

Making secure cross-chain bridges is not easy work, as Axie Infinity’s developers Sky Mavis found out. The leading GameFi protocol runs on the Ronin blockchain, which is optimized for gaming. On March 23rd, the Ethereum side of the Ronin bridge was hacked, for the loss of 173,600 ETH and 25.2 million USDC (~$545 million total at time of exploit, over $620 million when discovered). Miraculously, this cataclysmic exploit went totally unnoticed until 6 days later, on March 29th, when a whale tried to withdraw 5,000 ETH from the bridge and could not.

Presenting my nomination for understatement of the year…

The Hack

The hack hinged on the bridge validation process. As a reminder, smart contracts can’t see across chains. To move assets safely, the contract on Chain A needs a cryptographically provable way to know that the corresponding deposit on Chain B has been made, before A releases funds. The Ronin bridge used a proof-of-authority scheme, where the only requirement to move funds was 5 out of the 9 validators signing a message for its withdrawal.

This is extremely weak security, especially as rollups come into maturity. 4 out of the 9 validators were controlled by Sky Mavis, the company behind Axie Infinity. The attacker somehow compromised the private keys to these accounts, and the fate of the bridge now rested on one honest signature.

Unfortunately, the Sky Mavis validators had access to another signature. Previously, one of the validators was controlled by Axie DAO. For logistical reasons during times of high chain throughput, that organization gave Sky Mavis the ability to sign messages on its behalf. While that temporary arrangement ran its course, the access was not revoked. The attacker compromised this key as well, giving him the needed 5/9 signatures, and the final infinity stone.

In a snap, the Ethereum side of the bridge was drained.

The Lack

The exploiting transaction happened 6 days ago. No one noticed.

Let’s say that again for effect. Not a single team member noticed that half a billion dollars evaporated, destroying the functionality of a critical piece of infrastructure.

Any serious company would have automated monitoring in place. There are multiple solutions which can do this. CertiK Skynet. OpenZeppelin Defender. Tenderly. These platforms are so easy to use that I could set up an alert on the contract’s balance in 30 seconds. They’re so easy to use I wrote a whole guide on how to monitor smart contracts automatically.

Even if you don’t want to set up automatic monitoring, maybe you would, I don’t know, look at your contracts once in a while?

This is incredible negligence on the part of the Sky Mavis operations team. Jaw-dropping, staggering, incompetence.

The Escape

The attacker is behaving rather erratically by some standards. Rather than the default option of making a sprint for Tornado Cash, the attacker has been distributing Ether to several addresses, and cashing them out to CEXs – FTX, Huboi, and It was also funded from Binance, in defiance to the typical Tornado Cash pattern.

This suggests either a hacker that was colossally, monumentally stupid in cashing out via KYC exchange – or a savvy hacker washing funds via the CEX.

If the hacker had access to compromised FTX accounts, or set up arrangements offline to move money through the accounts in exchange for a premium, the KYC link would not lead back to the hacker. Given that the original exploit occurred through a private key compromise, and not on-chain means, there is good circumstantial evidence for this.

Maybe a traditional hacker got lucky and stumbled across some keys. Maybe it was a targeted attack on the Sky Mavis infrastructure. The investigation is ongoing, and the Sky Mavis team, still reeling from the attack, has not posted a further post-mortem.

For now, we can only wait.

And watch the usual stream of “please sir, mi familia” messages stream in to the exploiter’s account.

Pour one out for the homie
Obviously scam don’t click, but found it funny

I don’t like making these posts – every hack represents someone’s financial future turned upside down. I hope this is the last one I write, but I doubt it will be.

Photo of author

Written By BowTiedPickle

Anonymous cartoon pickle inspired by BowTiedBull. Degen chemical engineer, moonlighting as a Solidity developer.


This article may contain links to third-party websites or other content for information purposes. BowTiedIsland may receive a commission at no cost to you if you purchase a product after clicking one of these links. The Third-Party Sites are not under the control of BowTiedIsland, and BowTiedIsland is not responsible for the content of any Third-Party Site. All information contained herein is the opinion of the writer and does not constitute financial advice. We aim to act as a neutral third party and aid in your research and analysis.

The Jungle

Crypto, Investing, and E-Commerce with BowTied Bull

The future is internet based, therefore we have a triangle based approach with crypto, e-commerce business making and Investing in traditional assets

The Culture War with BowTiedRanger

Whether you’re a political junkie or just interested in current events. 

You’ve come to the right place for analysis of the most relevant current events and political issues.

Fitness With BowTiedOx

BowTiedOx provides you a place to find all of his latest programs and guides.

Weekly newsletters that cover fitness, health, and mindset, all grounded in the fundamentals of physiology.

Media Production with BowTied Turkey and BowTied Tamarin

Video is no longer optional.

Don’t get left behind.

Your brand deserves professional videos to engage your audience.

Art & Graphic Design with BowTied Patriot

BowTied Patriot is a graphic artist who specializes in photography, mixed medium custom artwork, and NFT creation.

Join BowTiedPatriot as he dives into making Art in Web3.0 and The Metaverse.

Cooking with BowTiedOctopod

Learn secrets from a fine dining chef for maximum flavor and time-saving efficiency

Newsletters on Ingredients, Techniques and Flavor hacks that will have you eating better. We will never eat bugs!

Meme Warfare with DgenFren

Increase your online engagement, organically influence narratives, and build your online persona by using marketing that your target audience actually wants: memes.

Learn How to Sell with BowTiedSalesGuy

Sales is one of the most transferrable life skills, yet few know how to actually sell.

Traditional sales tactics don’t cut it in today’s hyper competitive world.

Learn the secrets from a Chad Salesman and change your Life forever.

Ecommerce with BowTiedOpossum

Learn the skills to start and build your first online business.

Want to build a business that travels with you?

Learn from an industry veteran that has worked on and with brands you already know.