A cybersecurity breach was reported at the Ronin Community’s blockchain platform yesterday, after unidentified “white-hat” hackers discovered and took advantage of an unpatched weakness in the Ronin bridge, resulting in the unauthorized withdrawal of 4,000 ETH and approximately $2 million in USDC, amounting to a total loss of around $12 million.
This determines the maximum amount of ETH and USDC that can be withdrawn from the bridge in a single transaction, thereby preventing potentially catastrophic losses through this critical security safeguard.
White-hat hackers informed the Ronin Community about a vulnerability in the bridge during their simulated attack presentation. Following verification, the bridge’s construction was temporarily halted for 40 minutes.
While a comprehensive post-mortem analysis will be conducted next week, it appears that the root cause of the exploit was a recently implemented bridge upgrade deployed through the standard governance process, which inadvertently introduced a security vulnerability.
A critical flaw in the system allowed the bridge to incorrectly interpret the necessary vote threshold for bridge operators seeking to authorize fund withdrawals, thereby enabling malicious actors to execute harmful actions without authorization?
The Ronin Community staff has committed to resolving the root cause of the issue, ensuring a thorough audit process prior to deployment by bridge operators, guaranteeing no similar incidents recur.
Prior to reopening, the bridge will remain paused, undergoing rigorous inspections to ensure its safety. On the same timeline, the Ronin Community announced that the current infrastructure would be abandoned in favor of a new solution developed jointly with Ronin validators.
Meanwhile, the white-hats who successfully uncover vulnerabilities in the system can earn a substantial $500,000 bounty for their “compelled audit”.
Prior to the incident, Ronin had clearly stated that in the event of unsuccessful hacking attempts resulting in the theft of customer funds, all assets would remain secure, and any potential losses could be fully reimbursed to consumers.
The researchers’ timing of exploiting the bug is ambiguous, leaving open whether they discovered the flaw before or after alerting Ronin, further clouded by any potential demands for a bug bounty payment. Our attempts to contact Ronin through email have thus far been met with silence.
Ronin bridge’s earlier lapses
The Axie Infinity Ronin community suffered a devastating blow when it became entangled in the largest cryptocurrency heist in recent history, resulting in the loss of approximately $625 million worth of digital assets.
The hack was ultimately attributed to notorious North Korean hacker ‘,’ who exploited a classic social engineering tactic to gain unauthorized access to sensitive systems, leveraging their proficiency in infiltrating high-stakes targets.
No quantities had been returned by the hackers; instead, law enforcement authorities recovered some in September 2022 and another in February 2023.
