Explained: The Ronin Network Hack (August 2024)

The Ronin Network is famous for being the victim of the most expensive DeFi hack in history. In 2022, an attacker exploited poor private key security to approve a malicious transaction that stole $624 million from the cross-chain bridge.

In August 2024, Ronin was the victim of another, less expensive hack. Due to a smart contract vulnerability introduced by a contract upgrade, the protocol lost $12 million.

Inside the Attack

The original Ronin hack exploited the protocol’s verification scheme for cross-chain transactions. This new exploit also did so, but in a different way.

When Ronin’s contracts were upgraded, two different initialization functions were defined in the code (v3 and v4). However, only the v4 initialization function was actually called, leaving the other as unexecuted dead code.

The v3 initialization function performed a critical role within the smart contract, setting the value of _totalOperatorWeight, which helped to define the number of votes needed to approve a transaction. By failing to run the code, minimumVoteWeight was initialized to its default value of zero. This effectively disabled all potential defenses against malicious cross-chain transactions.

An MEV bot performed a frontrunning attack against other, manual attempts to exploit the vulnerability. As a result, it was able to steal about 4K ETH and 2M USDC, which was the maximum amount that could be withdrawn in a single transaction.

The operators of the MEV bot elected to return the funds, acting as white hats demonstrating the flaws in the protocol. In return, the Ronin team decided to award a $500K bug bounty to the white hat hackers.

Lessons Learned from the Attack

This new hack of the Ronin Network underscored the importance of performing a smart contract audit before code is deployed to the blockchain. Detection of dead code — which the v3 initialization function effectively was — can be performed by automated tools. In fact, the Solidity compiler automatically prunes unused code to decrease the size of contracts on-chain and improve efficiency.

Post-incident, the Ronin team announced the intention to perform an audit before allowing the bridge to reopen, enabling it to identify and correct any other issues that might be hidden in the code. If the team had elected to perform an audit before launch instead, it could have avoided another embarrassing and expensive security incident.

Comprehensive audits are essential to the security of DeFi projects and other smart contracts. For help with securing your project, reach out to Halborn.