Audit log

Every state-changing event for Ronin Bridge: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-05-20 22:36:25Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 421,077,020

   sig

   4LrD8KCYEXRE…fuf9Rvogcopyexplorer ↗

   hash

   E15jbtw7dtLM…JQxE4R3Lcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (7995 B) ▸

   {"actor":"system:backfill","investigation_id":"f9972424-1a26-4b10-a745-6db7ce736307","kind":"publish","page_slug":"ronin-bridge","published_at":"2026-05-20T22:36:25.165Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Ronin Bridge","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://www.coindesk.com/tech/2022/03/29/axie-infinitys-ronin-network-suffers-625m-exploit"},{"credibility":3,"name":"","type":"other","url":"https://thedefiant.io/news/blockchains/ronin-returns-to-ethereum-while-tvl-remains-95-below-2022-bridge-hack-level"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://www.halborn.com/blog/post/explained-the-ronin-hack-march-2022"},{"credibility":3,"name":"","type":"other","url":"https://www.theblock.co/post/156038/how-a-fake-job-offer-took-down-the-worlds-most-popular-crypto-game"},{"credibility":3,"name":"","type":"other","url":"https://thehackernews.com/2022/07/hackers-used-fake-job-offer-to-hack-and.html"},{"credibility":3,"name":"","type":"other","url":"https://www.coindesk.com/policy/2022/04/14/us-officials-tie-north-korean-hacker-group-to-axies-ronin-exploit"},{"credibility":3,"name":"","type":"other","url":"https://cyberscoop.com/ronin-bridge-hack-lazarus-group-north-korea-treasury-sanctions/"},{"credibility":3,"name":"","type":"other","url":"https://techcrunch.com/2022/04/15/us-officials-link-north-korean-lazarus-hackers-to-625m-axie-infinity-crypto-theft/"},{"credibility":3,"name":"","type":"other","url":"https://www.coindesk.com/business/2022/04/08/axie-infinity-builder-takes-full-responsibility-for-625m-ronin-hack-exec-says"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://www.chainalysis.com/blog/axie-infinity-ronin-bridge-dprk-hack-seizure/"},{"credibility":3,"name":"","type":"other","url":"https://www.elliptic.co/blog/540-million-stolen-from-the-ronin-defi-bridge"},{"credibility":3,"name":"","type":"other","url":"https://home.treasury.gov/news/press-releases/jy0916"},{"credibility":3,"name":"","type":"other","url":"https://cointelegraph.com/news/law-enforcement-recovers-30-million-from-ronin-bridge-hack-with-the-help-of-chainalysis"},{"credibility":3,"name":"","type":"other","url":"https://www.theblock.co/post/168663/chainalysis-and-us-law-enforcement-recover-30-million-from-north-korea-linked-ronin-exploit"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://techcrunch.com/2022/04/06/axie-infinity-creator-raises-150m-round-to-compensate-victims-of-625m-ronin-hack/"},{"credibility":3,"name":"","type":"other","url":"https://www.coindesk.com/business/2022/04/06/sky-mavis-raises-150m-round-led-by-binance-to-reimburse-ronin-attack-victims"},{"credibility":3,"name":"","type":"other","url":"https://www.halborn.com/blog/post/explained-the-ronin-network-hack-august-2024"},{"credibility":3,"name":"","type":"other","url":"https://therecord.media/hackers-return-12-million-taken-from-ronin-network"},{"credibility":3,"name":"","type":"other","url":"https://blog.roninchain.com/p/the-ronin-bridge-chainlink-ccip-migration"},{"credibility":3,"name":"","type":"other","url":"https://dappradar.com/blog/ronin-increases-security-measures-and-adds-more-validators"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://cyberscoop.com/ronin-bridge-hack-lazarus-group-north-korea-treasury-sanctions/"},{"credibility":3,"name":"","type":"other","url":"https://home.treasury.gov/news/press-releases/jy0916"},{"credibility":3,"name":"","type":"other","url":"https://techcrunch.com/2022/04/15/us-officials-link-north-korean-lazarus-hackers-to-625m-axie-infinity-crypto-theft/"},{"credibility":3,"name":"","type":"other","url":"https://www.chainalysis.com/blog/tornado-cash-ofac-designation-sanctions/"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://thedefiant.io/news/blockchains/ronin-returns-to-ethereum-while-tvl-remains-95-below-2022-bridge-hack-level"},{"credibility":3,"name":"","type":"other","url":"https://www.halborn.com/blog/post/explained-the-ronin-network-hack-august-2024"},{"credibility":3,"name":"","type":"other","url":"https://www.chainalysis.com/blog/axie-infinity-ronin-bridge-dprk-hack-seizure/"},{"credibility":3,"name":"","type":"other","url":"https://cointelegraph.com/news/the-aftermath-of-axie-infinity-s-650m-ronin-bridge-hack"}]}],"sources_used":[],"summary":"Ronin Bridge is the cross-chain bridge that connected the Axie Infinity gaming ecosystem's Ronin sidechain to Ethereum, operated by Sky Mavis. In March 2022 it suffered the largest DeFi hack in history at the time — $625 million in ETH and USDC stolen by North Korea's Lazarus Group via compromised validator private keys obtained through social engineering. A second, smaller exploit occurred in August 2024. The legacy bridge was deprecated in April 2025 and migrated to Chainlink CCIP infrastructure.","timeline":[{"date":"2021-11-01","event":"Axie DAO temporarily delegates validator signing authority to Sky Mavis to handle high transaction volume.","source":""},{"date":"2021-12-01","event":"Axie DAO delegation program expires, but Sky Mavis's signing permissions over the Axie DAO validator are never revoked.","source":""},{"date":"2022-03-23","event":"Attackers use compromised private keys for four Sky Mavis validators plus residual Axie DAO signing access to steal 173,600 ETH and 25.5M USDC ($625M) from the Ronin Bridge. The attack goes undetected.","source":""},{"date":"2022-03-29","event":"Ronin Network publicly discloses the exploit after a user reports an inability to withdraw 5,000 ETH. Bridge operations are halted.","source":""},{"date":"2022-04-06","event":"Sky Mavis announces a $150M fundraising round led by Binance, with a16z, Animoca Brands, Paradigm, and Accel participating, to reimburse hack victims.","source":""},{"date":"2022-04-14","event":"The FBI and U.S. Treasury OFAC officially attribute the attack to North Korea's Lazarus Group and APT38. OFAC sanctions the attacker's Ethereum wallet address (0x098B716B8Aaf21512996dC57EB0615e2383E2f96).","source":""},{"date":"2022-06-28","event":"Ronin Bridge relaunches after security audits by Verichains and CertiK. All affected users are fully reimbursed. Validator set expanded to 11 nodes with plans for 21+.","source":""},{"date":"2022-07-06","event":"Reports reveal the initial attack vector: a fraudulent LinkedIn job offer led a senior Sky Mavis engineer to download a malicious PDF containing spyware.","source":""},{"date":"2022-08-08","event":"OFAC sanctions Tornado Cash, citing over $455M in Ronin Bridge proceeds laundered through the mixer as a primary justification.","source":""},{"date":"2022-09-08","event":"Chainalysis and U.S. law enforcement announce seizure of more than $30M in stolen Ronin funds — the first-ever seizure of DPRK-stolen cryptocurrency. Total recovered reaches approximately $35.8M.","source":""},{"date":"2024-08-06","event":"A second Ronin Bridge exploit occurs: a contract initialization error during a V2 upgrade sets minimumVoteWeight to zero. MEV bots acting as white hats capture approximately $12M (4,000 ETH and USDC). Bridge is halted.","source":""},{"date":"2024-08-14","event":"White hat MEV operators return the $12M in full. Sky Mavis awards a $500,000 bug bounty. Beosin and Verichains complete security audits; bridge reopens.","source":""},{"date":"2024-12-01","event":"Chainlink CCIP goes live on Ronin Network, beginning the migration away from the legacy bridge infrastructure.","source":""},{"date":"2025-04-01","event":"Legacy Ronin Bridge formally deprecated. Full migration of $450M+ in assets across 12 token types to Chainlink CCIP is complete.","source":""}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 1072795e-71eb-4690-be3a-7bc81cbc367bcopy
2. #2reviewby reviewerreviewer

   2026-06-15 19:41:32Z
   Score: 18 → 18 (no score change)
   The Ronin Bridge page is factually solid. All major claims are either confirmed or partially supported, with zero disputed or unverifiable findings. The four partial-support findings involve minor valuation ambiguity ($625M vs $540M methodology), an imprecise technical description of the 2024 upgrade bug, an unverified exact date for the white-hat fund return, and an editorially derived $35.8M recovery total that combines two separate recovery events not explicitly aggregated in primary sources. No link rot was detected among the cited sources reviewed.
   anchoranchored

   chain

   ●mainnet-betaslot 426,699,700

   sig

   31xhYeRr1RFk…LeRoaK8ccopyexplorer ↗

   hash

   4sVDg7Q8aXS4…F1E1W3P6copysha256 → base58

   verifying row…full verify ↗

   canonical bytes (907 B) ▸

   {"actor":"reviewer","decided_at":"2026-06-15T19:41:32.291Z","decision":"review","investigation_id":"f9972424-1a26-4b10-a745-6db7ce736307","new_score":18,"page_slug":"ronin-bridge","prev_score":18,"reason":"The Ronin Bridge page is factually solid. All major claims are either confirmed or partially supported, with zero disputed or unverifiable findings. The four partial-support findings involve minor valuation ambiguity ($625M vs $540M methodology), an imprecise technical description of the 2024 upgrade bug, an unverified exact date for the white-hat fund return, and an editorially derived $35.8M recovery total that combines two separate recovery events not explicitly aggregated in primary sources. No link rot was detected among the cited sources reviewed.","score_delta":0,"sequence_num":2,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 4dcb8555-ebf5-414d-9072-8d7320a53a63copy
3. #3review approveby judgejudge

   2026-06-15 19:41:32Z
   Score: 18 → 52 (+34)
   The reviewer found zero disputed claims across 19 total findings, with four partial-support results attributable to minor methodological differences (the $625M vs $540M valuation reflects ETH price at discovery vs theft date, not a factual error), an imprecise technical description of the 2024 upgrade root cause, and two editorial aggregations not directly sourced in a single document. No link rot, no stale citations, and no unverifiable claims were detected (summary confidence 0.88). Critically, the calibration assessment confirms both major incidents are attribution type 'b' (suffered): the March 2022 Lazarus Group attack was state-sponsored via social engineering and the August 2024 event was a deployment error front-run by white hats who returned all funds in full. The entity's own conduct — voluntary $150M fundraise to reimburse all victims, validator set expansion, security audits by Verichains and CertiK, and proactive migration to Chainlink CCIP by April 2025 — is inconsistent with a CRITICAL band score of 18. The only legitimate penalty factor is the unrevoked Axie DAO validator access-control lapse, which is a genuine governance failure but not fraud. A score of 52 (CAUTIONARY) correctly reflects the fraud-likelihood semantics in the scoring rubric: the entity was the victim of the largest DeFi hack in history, responded responsibly, and has since materially improved its security posture.
   anchoranchored

   chain

   ●mainnet-betaslot 426,699,703

   sig

   5v1q64xWHGQo…W9zXoXjQcopyexplorer ↗

   hash

   8x8Y8ZHLbjYs…NzPNxpiKcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (1775 B) ▸

   {"actor":"judge","decided_at":"2026-06-15T19:41:32.291Z","decision":"review_approve","investigation_id":"f9972424-1a26-4b10-a745-6db7ce736307","new_score":52,"page_slug":"ronin-bridge","prev_score":18,"reason":"The reviewer found zero disputed claims across 19 total findings, with four partial-support results attributable to minor methodological differences (the $625M vs $540M valuation reflects ETH price at discovery vs theft date, not a factual error), an imprecise technical description of the 2024 upgrade root cause, and two editorial aggregations not directly sourced in a single document. No link rot, no stale citations, and no unverifiable claims were detected (summary confidence 0.88). Critically, the calibration assessment confirms both major incidents are attribution type 'b' (suffered): the March 2022 Lazarus Group attack was state-sponsored via social engineering and the August 2024 event was a deployment error front-run by white hats who returned all funds in full. The entity's own conduct — voluntary $150M fundraise to reimburse all victims, validator set expansion, security audits by Verichains and CertiK, and proactive migration to Chainlink CCIP by April 2025 — is inconsistent with a CRITICAL band score of 18. The only legitimate penalty factor is the unrevoked Axie DAO validator access-control lapse, which is a genuine governance failure but not fraud. A score of 52 (CAUTIONARY) correctly reflects the fraud-likelihood semantics in the scoring rubric: the entity was the victim of the largest DeFi hack in history, responded responsibly, and has since materially improved its security posture.","score_delta":34,"sequence_num":3,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 4e4afc59-63f6-46a4-a5f9-41a7312126cacopy