Best Play To Earn Games

PlayToEarn

White Hat Hackers Drained $12M from Ronin Bridge

On August 6th, the Ronin Network experienced a major yet controlled security event. White hat hackers spotted a loophole in the Ronin Bridge and promptly notified the Ronin team. Within 40 minutes of the first on-chain activity, the bridge was paused to prevent further losses.

What Happened to Ronin Bridge?

The white hat hackers withdrew around 4,000 ETH and 2 million USDC, valued at around $12 million. Luckily, this was the maximum withdrawal limit for a single transaction, a safeguard that helped minimize the damage.

9092 news effcd8edadbbd57be5465521e88f6097 White Hat Hackers Drained $12M from Ronin Bridge

Immediate Response

The Ronin team quickly addressed the exploit by pausing the bridge. They shared the event through a series of posts on X, explaining the situation and reassuring the users about the safety of their funds. According to the team, the bridge’s upgrade caused it to misinterpret the required vote threshold for fund withdrawals, which led to the exploit.

The team is now working on a solution and plans to conduct intensive audits. They also mentioned ongoing negotiations with the white hat hackers, who have shown good faith by returning the ETH. USDC funds are expected to be returned later. 

Analysis by Verichains

While waiting for the official post-mortem, some took to X to analyze what happened. Blockchain security firm Verichains provided a detailed analysis. They noted that previous versions of the Ronin Bridge fetched the total weight from the MainchainBridgeManager contract. However, the latest upgrade stored this weight in a new variable, totalOperatorWeight. This variable was initialized in the initializeV3() function, but the upgrade process only called initializeV4(), leaving totalOperatorWeight defaults to zero.

Understanding the Issue

Image

1. What is “Total Weight”?

In the context of blockchain networks, “total weight” refers to the combined voting power of different operators that are needed to approve a transaction. In simpler terms, think of it as the total strength of votes required to validate a transaction. This ensures that no single party can control the network.

The Vulnerability

Image

2. The New Variable _totalOperatorWeight:

In the latest upgrade of Ronin Bridge, a new variable called _totalOperatorWeight was introduced to store the total weight. This variable is crucial because it holds the total voting power required for transaction approval.

3. Initialization:

The variable totalOperatorWeight is supposed to be set up or initialized by a function named initializeV3(). This function calculates and assigns the correct value to totalOperatorWeight.

What Went Wrong?

Image

4. Uninitialized Variable:

During the upgrade process, the function initializeV3() was not called. Instead, only the function initializeV4() was called. Because initializeV3() was skipped, the _totalOperatorWeight variable was never set up properly. In programming terms, this means it was “uninitialized.”

5. Default to Zero:

When a variable in programming is uninitialized, it often defaults to zero. In this case, _totalOperatorWeight was zero. This is a critical issue because it means the system thought no voting power was needed to approve transactions.

Exploiting the Loophole

Image

6. Bypassing the Vote Requirement:

The function computeMinVoteWeight checks the totalOperatorWeight to determine the minimum vote weight required. Since _totalOperatorWeight was zero, the function allowed transactions to proceed without the necessary votes.

7. Attack Execution:

Attackers took advantage of this oversight. They were able to withdraw assets without the usual security checks, because the system wrongly assumed that the minimum required votes had been met (which was zero due to the uninitialized variable).

This misconfig allowed the attackers to take advantage, withdrawing assets without a signature. Verichains highlighted this as a typical operational issue during contract upgrades.

Community and Future Steps

Many users responded with a mix of concern and relief, appreciating the transparency and quick action from Ronin. The returned ETH and expected return of USDC reassured users about the safety of their funds. The Ronin team also announced a 500K bounty for the white hat hackers, rewarding their vigilance.

Looking ahead, the team seeks to overhaul the bridge’s operation, moving away from the current structure. They plan to collaborate with Ronin validators to implement a new solution and will provide updates as they go. A complete post-mortem is scheduled for next week.

Best Ronin Crypto Games | Top NFT Games on Ronin | GAM3S.GG

About Ronin Network

The Ronin Network, built by Sky Mavis, is a sidechain specifically designed for Axie Infinity. It was created to address Ethereum’s scalability issues, offering faster transactions and lower fees. The Ronin Bridge allows for the transfer of assets between the Ronin Network and Ethereum, making it a crucial part of the ecosystem.

Previous Incidents

This isn’t the first time the Ronin Bridge has faced security challenges. In March 2022, it was exploited for 173,600 ETH and 25.5 million USDC, totaling over $600 million. The breach was due to compromised private keys for validator nodes. Hackers managed to gain control over five out of nine validator nodes, including one run by Axie DAO.

In response, Sky Mavis, the team behind Ronin, raised $150 million from investors, including Binance, Animoca Brands, and others, to reimburse affected users. The funds, combined with Sky Mavis’s balance sheet, ensured that users were compensated. 

The recent white hat exploit served as a reminder of the need for robust security measures in Web3. The quick response from Ronin and the integrity of the white hat hackers prevented further damages. 


Posted

in

by

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *