Ronin Network Initialization Failure White Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Ronin Chain Logo/Homepage

Ronin is an EVM blockchain for building blockchain based games, such as the popular Axie Infinity. The protocol has a history of falling victim to attacks, including the largest attack in the history of the blockchain. On August 6th, there was another much smaller attack for $12m USD in ETH and USDC. This was due to a variable which was not initialized when the smart contract was upgraded. Luckily, all funds were taken by white hat hackers running automated bots who returned the funds relatively quickly.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17]

About Ronin Chain

"Ronin is an EVM blockchain crafted for developers building games with player-owned economies."

"Developed by Sky Mavis, the creator of Axie Infinity, Ronin is a blockchain built specifically for games. By supporting EVM-compatible smart contracts and protocols, Ronin enables developers to create feature-rich, high-performance blockchain projects."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Ronin Network Initialization Failure White Hack
Date Event Description
August 6th, 2024 3:37:23 AM MDT ETH Attack Transaction An initial attack transaction occurs which exploits close to 4k ETH.
August 6th, 2024 4:11:47 AM MDT USDC Attack Transaction A second attack happens, this time for USDC.
August 6th, 2024 4:12:00 AM MDT Pozos Reports Failure Pozos.ron reports a failed transaction withdrawing their WETH from the Ronin Bridge.
August 6th, 2024 4:20:00 AM MDT Chaofan Shou Tweet The attack is recognized in a tweet by Chaofan Shou.
August 6th, 2024 4:31:00 AM MDT PeckShield Tweets PeckShield tweets about the ETH exploit transaction.
August 6th, 2024 4:36:00 AM MDT Psycheout.ron Tweet Psycheout.ron, the COO of Ronin, posts a tweet to confirm the blockchain has been paused while an exploit is under investigation.
August 6th, 2024 6:51:00 AM MDT Ronin Bridge Announcement The Ronin Bridge team posts an announcement about the exploit, acknowledging it happened and with additional details on it.
August 6th, 2024 7:13:00 AM MDT Verichain Technical Analysis Verichain
August 6th, 2024 7:58:00 AM MDT QuillAudits Security Update QuillAudits releases a security update on the new Ronin bridge exploit.
August 6th, 2024 9:04:23 AM MDT Ethereum Returned The Ethereum which was taken in the attack is returned.

Technical Details

"At 09:37:23 AM UTC, the Axie Infinity: Ronin Bridge V2 transferred 3,996 ETH to the MEV Bot, which then transferred 4.00 ETH to bebaverbuild for potential MEV extraction.

Following this, at 10:11:47 AM UTC, MEV Frontrunner Yoink swapped 1,998,046 USDC for 796.41 ETH on Uniswap V3, potentially front-running a trade by a MEV bot."

"- Previous versions of Ronin Bridge fetched totalWeight from MainchainBridgeManager contract. - The latest upgrade stores totalWeight in the contract's storage under the variable _totalOperatorWeight. - This variable is initialized in the initializeV3() function, but the deployer only called initializeV4 during the upgrade, leaving _totalOperatorWeight uninitialized and defaulting to 0. - Due to this, the attackers (MEV bots) successfully withdrew 2M USDC and 4000 ETH without signature, as it met the minimumVoteWeight condition (which was 0 due to uninitialized)."

Total Amount Lost

The total amount lost has been estimated at $11,823,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

"For the Axie Infinity community and Ronin Network users, the words "bridge exploit" likely trigger PTSD."

"This time the damage was significantly less [than their previous attack on August 6th], but the psychological impact resonates deeply."

"Earlier today, we were notified by white-hats about a potential exploit on the Ronin bridge. After verifying the reports, the bridge was paused approximately 40 minutes after the first on-chain action was spotted.

The actors withdrew ~4K ETH and 2M USDC, valued at ~$12M, which is the maximum amount of ETH and USDC that can be withdrawn from the bridge for one single transaction withdrawal. The bridge limit serves as a critical safeguard to increase the security of large fund withdrawals, and it effectively prevented further damage in this exploit.

Today’s bridge upgrade, after being deployed through the governance process, introduced an issue leading the bridge to misinterpret the required bridge operators vote threshold to withdraw funds.

We are working on a solution for the root cause. The bridge update will undergo intensive audits, before being voted on by the bridge operators for deployment.

We are currently negotiating with the actors, who appear to be acting as white-hats and have responded in good faith. Regardless of the result of the negotiations, all user funds are safe and any shortfalls will be re-deposited into the bridge when it opens up.

A post-mortem will be shared next week where we will through the technical details and our planned measures to prevent similar occurrences in the future.

Appreciate all your support and patience."

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

A bounty of $500,000 USD was paid for the discovery.

Total Amount Recovered

The total amount recovered has been estimated at $11,323,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Ronin Network - Rekt II (Accessed Aug 7, 2024)
  2. @shoucccc Twitter (Accessed Aug 7, 2024)
  3. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Aug 7, 2024)
  4. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Aug 7, 2024)
  5. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Aug 7, 2024)
  6. @quillaudits_ai Twitter (Accessed Aug 7, 2024)
  7. @Psycheout86 Twitter (Accessed Aug 7, 2024)
  8. @Verichains Twitter (Accessed Aug 7, 2024)
  9. @Ronin_Network Twitter (Accessed Aug 7, 2024)
  10. Ronin (Accessed Aug 7, 2024)
  11. Developer guides | Mavis Docs (Accessed Aug 7, 2024)
  12. @PozosAxie Twitter (Accessed Aug 7, 2024)
  13. @PeckShieldAlert Twitter (Accessed Aug 7, 2024)
  14. @cagyjan1 Twitter (Accessed Aug 7, 2024)
  15. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Aug 7, 2024)
  16. x.com (Accessed Aug 21, 2024)
  17. Massive Crypto Heist: 3,996 ETH and 1.9M USDC Stolen and Returned from Ronin Network (Accessed Aug 21, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Ronin_Network_Initialization_Failure_White_Hack&oldid=6156"