Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/roninnetworkinitializationfailurewhitehack.php}} {{Unattributed Sources}} Ronin Chain Logo/HomepageRonin is an EVM blockchain for building blockchain based games, such as the popular Axie Infinity. The protocol has a history of falling victim to attacks, including the largest attack in the history of the blockchain. On August 6th, there was another much sma..."

2024-09-24T21:09:30Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/roninnetworkinitializationfailurewhitehack.php}} {{Unattributed Sources}} thumb|Ronin Chain Logo/HomepageRonin is an EVM blockchain for building blockchain based games, such as the popular Axie Infinity. The protocol has a history of falling victim to attacks, including the largest attack in the history of the blockchain. On August 6th, there was another much sma..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/roninnetworkinitializationfailurewhitehack.php}}
{{Unattributed Sources}}

[[File:Roninchain.jpg|thumb|Ronin Chain Logo/Homepage]]Ronin is an EVM blockchain for building blockchain based games, such as the popular Axie Infinity. The protocol has a history of falling victim to attacks, including the largest attack in the history of the blockchain. On August 6th, there was another much smaller attack for $12m USD in ETH and USDC. This was due to a variable which was not initialized when the smart contract was upgraded. Luckily, all funds were taken by white hat hackers running automated bots who returned the funds relatively quickly.<ref name="rektnews-14799" /><ref name="shoucccctwitter-14800" /><ref name="etherscan-14801" /><ref name="etherscan-14802" /><ref name="etherscan-14803" /><ref name="quillauditsaitwitter-14804" /><ref name="psycheout86twitter-14805" /><ref name="verichainstwitter-14806" /><ref name="roninnetworktwitter-14807" /><ref name="roninchain-14808" /><ref name="skymavisdocs-14809" /><ref name="pozosaxietwitter-14810" /><ref name="peckshieldalerttwitter-14811" /><ref name="cagyjan1twitter-14812" /><ref name="etherscan-14813" /><ref name="unnamed-15054" /><ref name="unnamed-15055" />

== About Ronin Chain ==
"Ronin is an EVM blockchain crafted for developers building games with player-owned economies."

"Developed by Sky Mavis, the creator of Axie Infinity, Ronin is a blockchain built specifically for games. By supporting EVM-compatible smart contracts and protocols, Ronin enables developers to create feature-rich, high-performance blockchain projects."

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
{| class="wikitable"
|+Key Event Timeline - Ronin Network Initialization Failure White Hack
!Date
!Event
!Description
|-
|August 6th, 2024 3:37:23 AM MDT
|ETH Attack Transaction
|An initial attack transaction occurs which exploits close to 4k ETH.
|-
|August 6th, 2024 4:11:47 AM MDT
|USDC Attack Transaction
|A second attack happens, this time for USDC.
|-
|August 6th, 2024 4:12:00 AM MDT
|Pozos Reports Failure
|Pozos.ron reports a failed transaction withdrawing their WETH from the Ronin Bridge.
|-
|August 6th, 2024 4:20:00 AM MDT
|Chaofan Shou Tweet
|The attack is recognized in a tweet by Chaofan Shou.
|-
|August 6th, 2024 4:31:00 AM MDT
|PeckShield Tweets
|PeckShield tweets about the ETH exploit transaction.
|-
|August 6th, 2024 4:36:00 AM MDT
|Psycheout.ron Tweet
|Psycheout.ron, the COO of Ronin, posts a tweet to confirm the blockchain has been paused while an exploit is under investigation.
|-
|August 6th, 2024 6:51:00 AM MDT
|Ronin Bridge Announcement
|The Ronin Bridge team posts an announcement about the exploit, acknowledging it happened and with additional details on it.
|-
|August 6th, 2024 7:13:00 AM MDT
|Verichain Technical Analysis
|Verichain
|-
|August 6th, 2024 7:58:00 AM MDT
|QuillAudits Security Update
|QuillAudits releases a security update on the new Ronin bridge exploit.
|-
|August 6th, 2024 9:04:23 AM MDT
|Ethereum Returned
|The Ethereum which was taken in the attack is returned.
|}

== Technical Details ==
"At 09:37:23 AM UTC, the Axie Infinity: Ronin Bridge V2 transferred 3,996 ETH to the MEV Bot, which then transferred 4.00 ETH to bebaverbuild for potential MEV extraction.

Following this, at 10:11:47 AM UTC, MEV Frontrunner Yoink swapped 1,998,046 USDC for 796.41 ETH on Uniswap V3, potentially front-running a trade by a MEV bot."

"- Previous versions of Ronin Bridge fetched totalWeight from MainchainBridgeManager contract.
- The latest upgrade stores totalWeight in the contract's storage under the variable _totalOperatorWeight.
- This variable is initialized in the initializeV3() function, but the deployer only called initializeV4 during the upgrade, leaving _totalOperatorWeight uninitialized and defaulting to 0.
- Due to this, the attackers (MEV bots) successfully withdrew 2M USDC and 4000 ETH without signature, as it met the minimumVoteWeight condition (which was 0 due to uninitialized)."

== Total Amount Lost ==
The total amount lost has been estimated at $11,823,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

== Immediate Reactions ==
"For the Axie Infinity community and Ronin Network users, the words "bridge exploit" likely trigger PTSD."

"This time the damage was significantly less [than their previous attack on August 6th], but the psychological impact resonates deeply."

"Earlier today, we were notified by white-hats about a potential exploit on the Ronin bridge. After verifying the reports, the bridge was paused approximately 40 minutes after the first on-chain action was spotted.

The actors withdrew ~4K ETH and 2M USDC, valued at ~$12M, which is the maximum amount of ETH and USDC that can be withdrawn from the bridge for one single transaction withdrawal. The bridge limit serves as a critical safeguard to increase the security of large fund withdrawals, and it effectively prevented further damage in this exploit.

Today’s bridge upgrade, after being deployed through the governance process, introduced an issue leading the bridge to misinterpret the required bridge operators vote threshold to withdraw funds.

We are working on a solution for the root cause. The bridge update will undergo intensive audits, before being voted on by the bridge operators for deployment.

We are currently negotiating with the actors, who appear to be acting as white-hats and have responded in good faith. Regardless of the result of the negotiations, all user funds are safe and any shortfalls will be re-deposited into the bridge when it opens up.

A post-mortem will be shared next week where we will through the technical details and our planned measures to prevent similar occurrences in the future.

Appreciate all your support and patience."

== Ultimate Outcome ==
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

A bounty of $500,000 USD was paid for the discovery.

== Total Amount Recovered ==
The total amount recovered has been estimated at $11,323,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="rektnews-14799">[https://rekt.news/roninnetwork-rektII/ Rekt - Ronin Network - Rekt II] (Accessed Aug 7, 2024)</ref>

<ref name="shoucccctwitter-14800">[https://twitter.com/shoucccc/status/1820766899216777495 @shoucccc Twitter] (Accessed Aug 7, 2024)</ref>

<ref name="etherscan-14801">[https://etherscan.io/tx/0xf8f097982bc0f9a8f4279d4132dc91cfe17ab2d4fc70e7f740bc3ed752165601 Ethereum Transaction Hash (Txhash) Details | Etherscan] (Accessed Aug 7, 2024)</ref>

<ref name="etherscan-14802">[https://etherscan.io/tx/0x2619570088683e6cc3a38d93c3d98899e5783864e15525d5f5810c11189ba6cb Ethereum Transaction Hash (Txhash) Details | Etherscan] (Accessed Aug 7, 2024)</ref>

<ref name="etherscan-14803">[https://etherscan.io/tx/0xbce5b8548db486c561948e8a177c8ccaa72810f972cee3909ea50af015a60ad8 Ethereum Transaction Hash (Txhash) Details | Etherscan] (Accessed Aug 7, 2024)</ref>

<ref name="quillauditsaitwitter-14804">[https://twitter.com/quillaudits_ai/status/1820821637081489519 @quillaudits_ai Twitter] (Accessed Aug 7, 2024)</ref>

<ref name="psycheout86twitter-14805">[https://twitter.com/Psycheout86/status/1820771028420739140 @Psycheout86 Twitter] (Accessed Aug 7, 2024)</ref>

<ref name="verichainstwitter-14806">[https://twitter.com/Verichains/status/1820810424159437261 @Verichains Twitter] (Accessed Aug 7, 2024)</ref>

<ref name="roninnetworktwitter-14807">[https://twitter.com/Ronin_Network/status/1820804772917588339 @Ronin_Network Twitter] (Accessed Aug 7, 2024)</ref>

<ref name="roninchain-14808">[https://roninchain.com/ Ronin] (Accessed Aug 7, 2024)</ref>

<ref name="skymavisdocs-14809">[https://docs.skymavis.com/ Developer guides | Mavis Docs] (Accessed Aug 7, 2024)</ref>

<ref name="pozosaxietwitter-14810">[https://twitter.com/PozosAxie/status/1820764941185384566 @PozosAxie Twitter] (Accessed Aug 7, 2024)</ref>

<ref name="peckshieldalerttwitter-14811">[https://twitter.com/PeckShieldAlert/status/1820769744292872240 @PeckShieldAlert Twitter] (Accessed Aug 7, 2024)</ref>

<ref name="cagyjan1twitter-14812">[https://twitter.com/cagyjan1/status/1821150104624959702 @cagyjan1 Twitter] (Accessed Aug 7, 2024)</ref>

<ref name="etherscan-14813">[https://etherscan.io/tx/0x855dd3b1194e3b889f4667b6a0996220e350e034d35d3eab29b4f23bc205767e Ethereum Transaction Hash (Txhash) Details | Etherscan] (Accessed Aug 7, 2024)</ref>

<ref name="unnamed-15054">[https://x.com/mindfrozentime/status/1820949982439932397 x.com] (Accessed Aug 21, 2024)</ref>

<ref name="unnamed-15055">[https://coinpedia.org/news/massive-crypto-heist-3996-eth-and-1-9m-usdc-stolen-and-returned-from-ronin-network/ Massive Crypto Heist: 3,996 ETH and 1.9M USDC Stolen and Returned from Ronin Network] (Accessed Aug 21, 2024)</ref></references>

Ronin Network Initialization Failure White Hack - Revision history