The Ronin Bridge Hack: $625 Million and the Dangers of Centralization
On March 23, 2022, two transactions left the Ronin Network bridge with 173,600 ETH and 25.5 million USDC missing—worth approximately $625 million at the time. The theft wasn’t discovered for six days, when a user couldn’t complete a 5,000 ETH withdrawal and filed a support request.
The FBI attributed the attack to North Korea’s Lazarus Group. It remains the largest bridge hack on record.
The Setup: Proof of Authority with Nine Validators
Ronin is an Ethereum sidechain built for Axie Infinity, a play-to-earn game that hit 2.7 million daily active users at its peak in 2021. The bridge holding user funds used Proof of Authority consensus: nine validators, five signatures required to authorize a withdrawal.
Four of those nine validators were controlled by the game’s developer. That meant compromising one additional validator—any one—would give an attacker full control of the bridge.
flowchart TD
classDef attack fill:#331a1a,stroke:#d97777,stroke-width:2px,color:#f0c0c0
classDef system fill:#1a3333,stroke:#5ba8a8,stroke-width:2px,color:#c0e8e8
classDef highlight fill:#332519,stroke:#e8a87c,stroke-width:2px,color:#f0d8c0
subgraph SM ["Developer Controlled"]
V1["Validator 1 - developer"]:::attack
V2["Validator 2 - developer"]:::attack
V3["Validator 3 - developer"]:::attack
V4["Validator 4 - developer"]:::attack
end
subgraph TP ["Third-Party Validators"]
V5["Validator 5 - DAO - compromised via allowlist"]:::attack
V6["Validator 6 - External partner"]:::system
V7["Validator 7 - External partner"]:::system
V8["Validator 8 - External partner"]:::system
V9["Validator 9 - External partner"]:::system
end
W["4 developer + 1 DAO = 5/9 = MAJORITY"]:::highlight
V1 --> W
V2 --> W
V3 --> W
V4 --> W
V5 --> W
The Forgotten Permission
In November 2021, Axie Infinity’s traffic surged. To reduce load, the game’s DAO temporarily authorized the developer to sign transactions on its behalf—including transactions from the DAO’s validator node. The intent was to lift this permission once congestion eased.
It was never revoked.
By December 2021, the traffic spike had passed. The allowlist remained active into 2022, sitting quietly in the validator configuration while the bridge held hundreds of millions in user funds.
The Intrusion
According to public reporting citing the developer’s post-mortem, the attack chain began with a fake job offer. An engineer at the developer received an approach through a professional networking site, went through a multi-round recruitment process, and ultimately received a PDF offer letter. The document contained spyware. Once executed, it gave the attackers a foothold inside the developer’s network.
From there, the attackers extracted four validator private keys controlled by the developer. The forgotten DAO allowlist gave them the fifth. They now held a 5-of-9 supermajority and could authorize any bridge transaction unilaterally.
The Theft
On March 23, 2022, the attackers signed two withdrawal transactions:
Transaction 1:
├── Amount: 173,600 ETH
├── Authorized by: 5 compromised validators
└── Destination: Attacker wallet
Transaction 2:
├── Amount: 25,500,000 USDC
├── Authorized by: 5 compromised validators
└── Destination: Attacker wallet
Total: ~$625 million
Execution time: Minutes
Time until discovery: 6 days
The bridge had no rate limiting, no large-withdrawal alerts, and no anomaly detection. Both transactions cleared without triggering anything.
Six Days of Silence
The Ronin bridge continued operating normally in appearance after the theft. No alerts fired. No automated monitoring flagged the depleted reserves. The only signal was a failed user withdrawal on March 29—someone trying to move 5,000 ETH who discovered the bridge couldn’t cover it.
That support ticket started the investigation. The developer disclosed the breach the same day.
The gap between execution and discovery is arguably as damaging as the theft itself. With monitoring in place, the withdrawal rate could have been paused within minutes. Much of the stolen ETH could have been recovered before the attackers had moved it.
Attribution and Laundering
The U.S. Treasury Department and FBI attributed the attack to Lazarus Group, North Korea’s state-sponsored hacking organization, based on wallet activity cross-referenced with known Lazarus addresses and consistency with prior operation patterns.
The attackers attempted to launder funds through Tornado Cash (approximately $28 million), cross-chain bridges, and decentralized exchanges. In September 2022, the U.S. government seized approximately $30 million in stolen assets—the first successful recovery of North Korean-stolen cryptocurrency.
What the Developer Did Afterward
The developer raised $150 million from institutional investors to reimburse affected users. They expanded the validator set from 9 to 11, then later to 21, and imposed limits on how many nodes a single entity could control. They added monitoring and alerting systems to the bridge infrastructure.
The architectural vulnerability—a single organization holding a supermajority of signing keys over a bridge managing hundreds of millions in assets—was understood before the hack. Several researchers had flagged the centralization risk publicly. The fix came after the loss, not before.
The Structural Problem
The Ronin hack wasn’t a smart contract bug. The bridge code was functioning correctly. Five validators signed a withdrawal; the contract honored it. The problem was the definition of “five validators” in practice: four were the same entity, and the fifth had been delegated to that same entity through a permission that no one remembered to expire.
A bridge’s security guarantees are only as strong as the actual independence of its signers. When one organization controls the majority, users are extending trust to that organization—not to the decentralized system they believe they’re using.
This is the straightforward lesson from Ronin: the trust model you advertise must match the trust model you’ve actually built.