On March 23, 2022, the Ronin Network, an Ethereum sidechain developed for Axie Infinity by Sky Mavis, suffered one of the largest hacks in DeFi history. The attackers stole approximately $625 million, comprising 173,600 ETH and 25.5 million USDC.

The breach was only discovered on March 29, 2022, six days after the initial exploit, when Ronin Network detected the unauthorized withdrawals, only after users started reporting that they could not withdraw their funds.

With the rising popularity of Axie Infinity, Ronin Network was launched in February 2021 as an Ethereum sidechain to provide the fast, low-cost transaction throughput necessary for a play-to-earn (P2E) game to function efficiently.

However, to maximize transaction speed (TPS), decentralization and trustlessness were deprioritized in favor of a Proof of Authority (PoA) model. Under this model, just 9 validators were responsible for transaction approvals—placing their reputation at stake rather than possessing actual control over power or funds.Among these 9 validators, a consensus of 5 was required to approve deposits and withdrawals.

A very common tactic these days by advanced adversaries is to directly target technical staff in social engineering attacks. In this scenario, a senior engineer at Sky Mavis was lured with a fake job posting via LinkedIn. After passing several interview rounds, the victim then opened a malicious file which they thought to be an employment contract. 

Eventually, this infected machine was used as a starting point for the attackers to move through Sky Mavis’ infrastructure and compromise the 4 of the validator nodes. The 5th validator node was with the third-party Axie DAO, but could also be compromised through Sky Mavis’ network due to an outdated access control setting.

Sky Mavis initially responded by increasing the number of validator nodes, with the latest number at 22 nodes. However, increasing the number of signatories is not a fundamental solution. The best mitigation strategy should be to establish a robust security framework that prevents and detects the multitude of flaws leading up to this heist:

• Enhancing system and workstation security with early detection of suspicious behaviour, zero-trust connections and proactive threat hunting
• Improving employee security awareness and compliance through training and stricter security policies
• External assessments and audits including smart contract reviews, penetration tests, security standard compliance and bug bounty programs for identifying security risks
• On-chain monitoring to detect suspicious transactions such as unauthorized withdrawals
• Robust processes that ensure security gates/controls are implemented at critical pathways within an organization and its software.

At GRVT, we recognize that security should never be compromised for speed or convenience. That’s why we are building institutional-grade frameworks and infrastructure to achieve the highest security standards in Web3. By combining self-custody principles with regulatory oversight, we mitigate the usual industry risks—ensuring that security, compliance, and decentralization can coexist in the future of DeFi.