New Ronin Bridge hack down to dodgy upgrade, team banks on ‘white hat’ op

The blockchain bridge connecting gaming-focused Ronin Network to Ethereum has been paused after losing over $11 million worth of ETH and USDC to MEV bots.

This incident is the third major hack to affect the Ronin Network team after the loss of over $600 million in March 2022, and the theft of $10 million of a co-founder’s personal funds earlier this year.

#PeckShieldAlert @Ronin_Network #whitehacked? or Hacked? (w/ ~ $9.33M) pic.twitter.com/wfaY0zhVdI

— PeckShieldAlert (@PeckShieldAlert) August 6, 2024

Read more: Axie co-founder hacked for $10M two years after $625M Ronin attack

According to smart contract auditing firm Beosin, a recent upgrade introduced a bug in the bridge’s cross-chain verification system.

At around 9:30 UTC, 4,000 ETH (worth approximately $9.8 million) were first extracted from the bridge via one bot’s ‘Mmmm MEV’ function, almost $10,000 of which went to block builder beaverbuild, the rest was sent on to another address.

Half an hour later, around $2 million worth of stablecoins were ‘yoinked’ by another bot and were immediately swapped to ETH, before being forwarded onto a holding account.

Assuming that the outflows are due to the bots’ front-running of malicious transactions, rather than malicious in themselves, the Ronin team has attempted to open communication via input data messaging: “Hey, thanks a lot for white hat saving user funds today. Can we chat over Blockscan chat?”

In an announcement made via X (formerly Twitter), one of Ronin Network’s co-founders informed users that the bridge had been paused “while we investigate a report from whitehats about a potential MEV exploit.”

Highlighting the $850 million still held safely within the bridge, the team appears to be trusting that the bot operators plan to return the funds after having front-ran malicious attacks.

A follow-up statement from the Ronin Network’s X account reiterated that negotiations are ongoing, promising that a fix “will undergo intensive audits, before being voted on by the bridge operators for deployment.”

Crypto security firm BlockSec also highlighted the root cause as an ‘upgrade issue.’ A misconfigured upgrade was similarly behind the nine-figure Nomad Bridge hack, which occurred later in 2022.

This has been a tough morning for me. 

Two of my addresses have been compromised.

The attack is limited to my personal accounts, and has nothing to do with validation or operations of the Ronin chain.

Additionally, the leaked keys have nothing to do with Sky Mavis operations.…

— Jihoz.ron 🍚 (@Jihoz_Axie) February 23, 2024

Read more: Nomad hacker buys the dip, scooping up $40M of ETH two years later

This most recent incident is far from Ronin Network’s first rodeo.

The bridge was drained in March 2022 for over $600 million worth of Ether and USDC, in what is still one of the largest-ever hacks to hit the decentralized finance (DeFi) sector. Despite this, the loss went unnoticed for almost a week before being discovered.

More recently, another co-founder of Axie Infinity, known as Jihoz, also lost $10 million to a hack in February this year when the private keys of two ‘personal accounts’ were compromised.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.