~/defi/bridges $ cat ronin-wormhole-nomad-uroki.md
Ronin, Wormhole, Nomad: Three Mega Bridge Heists and the Lessons They Taught Us
2022-the year of the bridges: three heists, three different attack vectors, totaling one billion dollars. Perfect case study material.
Ronin (~$620 million): keys
The Axie Infinity bridge was validated by 9 validators, with a threshold of 5 signatures. Lazarus obtained 4 Sky Mavis keys plus the key of a “third-party” validator who had delegated their rights to the same team. Five signatures were collected-the funds were withdrawn. Lesson: A key committee is only as independent as its members actually are.
Wormhole (~$320 million): Code
A signature verification bug allowed an attacker to “prove” a nonexistent deposit and mint 120,000 wETH out of thin air. Jump Capital closed the loophole, saving the collateral backing the receipts. Lesson: A single line of cross-chain code holds hundreds of millions; a receipt without a vault is worth nothing.
Nomad (~$190 million): the crowd
An initialization error validated a “proof” consisting of zeros-and the first-ever crowdsourced heist began: hundreds of addresses copied the pioneer’s transaction, changing only the recipient’s address. Lesson: An exploit can be accessible to any passerby-the team’s response time is everything.
The overall takeaway for users remains the same: a bridge is a transit point, not a storage solution; a wrapped asset is a receipt for a treasure chest that gets robbed more often than any other storage solution in the industry.