New Ronin Bridge hack down to dodgy upgrade, team banks on ‘white hat’ op
The blockchain bridge connecting gaming-focused Ronin Network to Ethereum has been paused after losing over $11 million worth of ETH and USDC to MEV bots.
This incident is the third major hack to affect the Ronin Network team after the loss of over $600 million in March 2022, and the theft of $10 million of a co-founder’s personal funds earlier this year.
Read more: Axie co-founder hacked for $10M two years after $625M Ronin attack
According to smart contract auditing firm Beosin, a recent upgrade introduced a bug in the bridge’s cross-chain verification system.
At around 9:30 UTC, 4,000 ETH (worth approximately $9.8 million) were first extracted from the bridge via one bot’s ‘Mmmm MEV’ function, almost $10,000 of which went to block builder beaverbuild, the rest was sent on to another address.
Half an hour later, around $2 million worth of stablecoins were ‘yoinked’ by another bot and were immediately swapped to ETH, before being forwarded onto a holding account.
Assuming that the outflows are due to the bots’ front-running of malicious transactions, rather than malicious in themselves, the Ronin team has attempted to open communication via input data messaging: “Hey, thanks a lot for white hat saving user funds today. Can we chat over Blockscan chat?”
In an announcement made via X (formerly Twitter), one of Ronin Network’s co-founders informed users that the bridge had been paused “while we investigate a report from whitehats about a potential MEV exploit.”
Highlighting the $850 million still held safely within the bridge, the team appears to be trusting that the bot operators plan to return the funds after having front-ran malicious attacks.
A follow-up statement from the Ronin Network’s X account reiterated that negotiations are ongoing, promising that a fix “will undergo intensive audits, before being voted on by the bridge operators for deployment.”
Crypto security firm BlockSec also highlighted the root cause as an ‘upgrade issue.’ A misconfigured upgrade was similarly behind the nine-figure Nomad Bridge hack, which occurred later in 2022.
Read more: Nomad hacker buys the dip, scooping up $40M of ETH two years later
This most recent incident is far from Ronin Network’s first rodeo.
The bridge was drained in March 2022 for over $600 million worth of Ether and USDC, in what is still one of the largest-ever hacks to hit the decentralized finance (DeFi) sector. Despite this, the loss went unnoticed for almost a week before being discovered.
More recently, another co-founder of Axie Infinity, known as Jihoz, also lost $10 million to a hack in February this year when the private keys of two ‘personal accounts’ were compromised.
Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.