Recent Ronin Hack Caused by an Error Allowing Anyone to Withdraw Funds Without Signature

  • Ronin suffered from a $10 million attack on August 6 as an MEV bot withdrew the funds.
  • The individual managing the bot returned those assets to the protocol.

Blockchain cybersecurity firm Verichains revealed details about the Ronin chain attack on August 6, causing a loss of about $10 million. While the attack was brought by an MEV (maximum extractable value) bot overseen by a white hat hacker who returned the funds, the incident was highly concerning.

The Verichains report mentioned how an update to the Ronin bridge’s contracts caused a vulnerability, letting the bot exploit the assets. This bridge connects Ethereum to the Ronin blockchain, a gaming-related network home to popular titles like Axie Infinity. The contract update ignored a critical function, allowing anyone to withdraw funds from the bridge without validation.

Every transaction is validated by network participants and processed through a consensus, enabled by the minimumVoteWeight variable. This variable relies on the totalWeight variable acting as the input. However, during the update, totalWeight’s value was set to zero instead of what it was set to be in the previous contract. Consequently, users could withdraw funds without a signature, as the updated contract allowed them to.

In an X post on August 7, Damian Rusniek, an auditor at Composable Security, mentioned, “The signer is 0x27120393D5e50bf6f661Fd269CDDF3fb9e7B849f but this address is not on the bridge operators list. This means that only ONE signature was required and it could by ANY valid signature.” They concluded with the same finding as Verichains, “The root cause was that the minimum votes of the operators was 0. Anyone has 0!”

Ronin Offered $500,000 of the Exploited Funds to the White Hat Hacker

The MEV bot, through simulations, figured that out and committed the transaction, leading to the $10 million exploit. The white hat hacker returning these funds ensured Ronin developers found the issue before bad actors took over. The network allowed the individual to keep $500,000 of the exploited value as a bug bounty reward.

 

Source: https://www.livebitcoinnews.com/recent-ronin-hack-caused-by-an-error-allowing-anyone-to-withdraw-funds-without-signature/