Gambling blockchain Ronin Network suffered a security incident yesterday when white hat hackers exploited an undocumented vulnerability on the Ronin bridge to withdraw 4,000 ETH and 2 million USDC, totaling $12 million.
This figure corresponds to the maximum amount of ETH and USDC that can be withdrawn from the bridge via a single transaction, so this critical security measure prevented the theft of potentially astronomical figures.
The white-hat hackers informed the Ronin Network about an exploit on the bridge as they performed their attack demonstration. After verification, the bridge was paused for 40 minutes.
Although a detailed post-mortem will be released next week, Ronin can say that the cause of the exploit was a recent bridge update deployed through the governance process, which introduced a security flaw.
The flaw caused the bridge to misinterpret the required vote threshold of bridge operators needed to authorize fund withdrawals, allowing unauthorized actors to perform damaging actions.
The Ronin Network team is working on resolving the root cause and said the fix will undergo thorough audits before it’s voted on and deployed by the bridge operators to ensure that similar incidents won’t reoccur.
The bridge will remain paused and undergo intensive checks before reopening. At the same time, the Ronin Network announced that the current structure will be abandoned for a new solution developed with Ronin validators.
Meanwhile, the white-hats have fully returned the stolen funds and will receive a generous $500,000 bounty for their “forced audit.”
Ronin had previously announced that even if the hackers did not respond positively and kept the stolen amounts, all user funds would be guaranteed, and any losses would be fully reimbursed.
It is unclear if the “researchers” exploited the bug before or after notifying Ronin about the flaw and if they demanded a bug bounty reward to return the money. BleepingComputer contacted Ronin, but our emails remain unanswered.
Ronin bridge’s previous lapses
Axie Infinity’s Ronin network bridge was previously hacked in March 2022 as part of the largest crypto heist in modern history, resulting in the loss of $625,000,000 worth of cryptocurrency.
It was later revealed that the hack was performed by the notorious North Korean hacker ‘Lazarus Group,’ who used their typical fake job interview social engineering scheme to gain privileged initial access to the target systems.
In that case, no amounts were returned by the hackers, but the law enforcement authorities recovered $30 million in September 2022 and another $5.8 million in February 2023.