How a Simple Mistake Led to a Major Exploit
A recent hack on the Ronin bridge (6th August 2024), resulting in the loss of $10 million, was caused by a simple but critical error in the upgrade deployment script, according to a report from blockchain security firm Verichains. The mistake left the bridge vulnerable, allowing an attacker to withdraw funds without proper authorisation.
What Went Wrong?
The Ronin bridge connects the Ethereum network with Ronin, a blockchain designed for Web3 games like the popular Axie Infinity. To ensure secure transactions, the bridge relies on a voting system where a certain number of validators must approve withdrawals. This process is controlled by a variable called minimumVoteWeight, which sets the minimum number of validator approvals needed.
During a recent upgrade, the developers intended to improve the system by moving a key variable, totalWeight, from an external contract into the bridge’s own storage. This variable is essential for calculating the required minimumVoteWeight. However, the deployment script that applied the upgrade failed to initialise totalWeight, leaving it at its default value of zero.
This oversight meant that the bridge no longer required any validator approvals for withdrawals—essentially, anyone could withdraw funds without providing a signature.
The Exploit
An attacker quickly took advantage of this vulnerability, using a signature from an unauthorised address to initiate a withdrawal. Since the system mistakenly believed that no validator approvals were needed, the transaction was processed.
However, before the attacker could fully exploit the bug, their transaction was front-run by an MEV (Miner Extractable Value) bot known as “Frontrunner Yoink.” This bot intercepted the transaction and managed to drain over $10 million in cryptocurrency from the bridge.
Fortunately, the owner of the bot claimed to be an ethical hacker, or “white hat.” They returned most of the funds to the Ronin team and were rewarded with $500,000 as a bug bounty for their honesty.
A Close Call for Ronin Users
The Ronin team confirmed the issue in an August 6 statement, acknowledging that the upgrade had unintentionally disabled the vote threshold mechanism. This incident serves as a reminder of the risks associated with upgradeable smart contracts, especially in systems as complex and vital as cross-chain bridges.
While the Ronin network avoided a total loss thanks to the ethical actions of the white hat hacker, the hack highlights the importance of thorough testing and careful deployment in blockchain technology.