The Ronin Bridge Hack: $625 Million and the Dangers of Centralization
On March 23, 2022, two transactions left the Ronin Network bridge with 173,600 ETH and 25.5 million USDC missing—worth approximately $625 million at the time. The theft wasn’t discovered for six days, when a user couldn’t complete a 5,000 ETH withdrawal and filed a support request.
The FBI attributed the attack to North Korea’s Lazarus Group. It remains the largest bridge hack on record.
The Setup: Proof of Authority with Nine Validators
Ronin is an Ethereum sidechain built for Axie Infinity, a play-to-earn game that hit 2.7 million daily active users at its peak in 2021. The bridge holding user funds used Proof of Authority consensus: nine validators, five signatures required to authorize a withdrawal.
Four of those nine validators were controlled by Sky Mavis, Axie’s developer. That meant compromising one additional validator—any one—would give an attacker full control of the bridge.
flowchart TD
classDef attack fill:#331a1a,stroke:#d97777,stroke-width:2px,color:#f0c0c0
classDef system fill:#1a3333,stroke:#5ba8a8,stroke-width:2px,color:#c0e8e8
classDef highlight fill:#332519,stroke:#e8a87c,stroke-width:2px,color:#f0d8c0
subgraph SM ["Sky Mavis Controlled"]
V1["Validator 1 - Sky Mavis"]:::attack
V2["Validator 2 - Sky Mavis"]:::attack
V3["Validator 3 - Sky Mavis"]:::attack
V4["Validator 4 - Sky Mavis"]:::attack
end
subgraph TP ["Third-Party Validators"]
V5["Validator 5 - Axie DAO - compromised via allowlist"]:::attack
V6["Validator 6 - External partner"]:::system
V7["Validator 7 - External partner"]:::system
V8["Validator 8 - External partner"]:::system
V9["Validator 9 - External partner"]:::system
end
W["4 Sky Mavis + 1 Axie DAO = 5/9 = MAJORITY"]:::highlight
V1 --> W
V2 --> W
V3 --> W
V4 --> W
V5 --> WThe Forgotten Permission
In November 2021, Axie Infinity’s traffic surged. To reduce load, the Axie DAO temporarily authorized Sky Mavis to sign transactions on its behalf—including transactions from the Axie DAO’s validator node. The intent was to lift this permission once congestion eased.
It was never revoked.
By December 2021, the traffic spike had passed. The allowlist remained active into 2022, sitting quietly in the validator configuration while the bridge held hundreds of millions in user funds.
The Intrusion
According to reporting by the BBC and others citing Sky Mavis’s post-mortem, the attack chain began with a fake job offer. A Sky Mavis engineer received an approach through LinkedIn, went through a multi-round recruitment process, and ultimately received a PDF offer letter. The document contained spyware. Once executed, it gave the attackers a foothold inside Sky Mavis’s network.
From there, the attackers extracted four validator private keys controlled by Sky Mavis. The forgotten Axie DAO allowlist gave them the fifth. They now held a 5-of-9 supermajority and could authorize any bridge transaction unilaterally.
The Theft
On March 23, 2022, the attackers signed two withdrawal transactions:
Transaction 1:
├── Amount: 173,600 ETH
├── Authorized by: 5 compromised validators
└── Destination: Attacker wallet
Transaction 2:
├── Amount: 25,500,000 USDC
├── Authorized by: 5 compromised validators
└── Destination: Attacker wallet
Total: ~$625 million
Execution time: Minutes
Time until discovery: 6 daysThe bridge had no rate limiting, no large-withdrawal alerts, and no anomaly detection. Both transactions cleared without triggering anything.
Six Days of Silence
The Ronin bridge continued operating normally in appearance after the theft. No alerts fired. No automated monitoring flagged the depleted reserves. The only signal was a failed user withdrawal on March 29—someone trying to move 5,000 ETH who discovered the bridge couldn’t cover it.
That support ticket started the investigation. Sky Mavis disclosed the breach the same day.
The gap between execution and discovery is arguably as damaging as the theft itself. With monitoring in place, the withdrawal rate could have been paused within minutes. Much of the stolen ETH could have been recovered before the attackers had moved it.
Attribution and Laundering
The U.S. Treasury Department and FBI attributed the attack to Lazarus Group, North Korea’s state-sponsored hacking organization, based on wallet activity cross-referenced with known Lazarus addresses and consistency with prior operation patterns.
The attackers attempted to launder funds through Tornado Cash (approximately $28 million), cross-chain bridges, and decentralized exchanges. In September 2022, the U.S. government seized approximately $30 million in stolen assets—the first successful recovery of North Korean-stolen cryptocurrency.
What Sky Mavis Did Afterward
Sky Mavis raised $150 million from investors (led by Binance) to reimburse affected users. They expanded the validator set from 9 to 11, then later to 21, and imposed limits on how many nodes a single entity could control. They added monitoring and alerting systems to the bridge infrastructure.
The architectural vulnerability—a single organization holding a supermajority of signing keys over a bridge managing hundreds of millions in assets—was understood before the hack. Several researchers had flagged the centralization risk publicly. The fix came after the loss, not before.
The Structural Problem
The Ronin hack wasn’t a smart contract bug. The bridge code was functioning correctly. Five validators signed a withdrawal; the contract honored it. The problem was the definition of “five validators” in practice: four were the same entity, and the fifth had been delegated to that same entity through a permission that no one remembered to expire.
A bridge’s security guarantees are only as strong as the actual independence of its signers. When one organization controls the majority, users are extending trust to that organization—not to the decentralized system they believe they’re using.
This is the straightforward lesson from Ronin: the trust model you advertise must match the trust model you’ve actually built.