- Ronin fell victim to a $10 million attack on August 6 when a MEV bot withdrew the funds.
- The person managing the bot returned these assets to the protocol.
Blockchain cybersecurity firm Verichains revealed details of the Ronin Chain attack on August 6, which caused about $10 million in damage. Although the attack was carried out by a Maximum Extractable Value (MEV) bot supervised by a white hat hacker who returned the funds, the incident was highly concerning.
The Verichains report mentioned that an update to the Ronin Bridge’s contracts caused a vulnerability that allowed the bot to exploit the assets. This bridge connects Ethereum to the Ronin blockchain, a gaming-related network that hosts popular titles such as Axie Infinity. The contract update ignored a critical feature, allowing anyone to withdraw funds from the bridge without validation.
Each transaction is validated by network participants and processed through a consensus enabled by the minimumVoteWeight variable. This variable relies on the totalWeight variable, which acts as an input. However, during the update, the value of totalWeight was set to zero instead of the value set in the previous contract. Consequently, users were able to withdraw funds without a signature because the updated contract allowed it.
In an August 7 X-post, Damian Rusniek, an auditor at Composable Security, mentioned: “The signer is 0x27120393D5e50bf6f661Fd269CDDF3fb9e7B849f, but this address is not on the list of bridge operators. This means that only ONE signature was required and it could be ANY valid signature.” They came to the same conclusion as Verichains: “The root cause was that the minimum operator vote was 0. Everyone has 0!”
Ronin offered the white hat hacker $500,000 of the stolen funds
The MEV bot figured this out through simulations and executed the transaction that led to the $10 million exploit. The white hat hacker who returned these funds made sure that the Ronin developers found the issue before malicious actors took control. The network allowed the individual to keep $500,000 of the exploited value as a bug bounty reward.
