Why are hackers fond of Ronin? The hidden dangers behind three attacks

Author: Grapefruit, ChainCatcher

Editor: Marco, ChainCatcher

As of August 12, the Ronin cross-chain bridge, which was attacked by hackers again, has not reopened to users, and the page remains in maintenance mode.

While community users are eagerly anticipating the launch of another hit product from the Ronin ecosystem, similar to the Web3 farming game Pixels, the Ronin cross-chain bridge was once again attacked by hackers, with stolen assets valued at approximately $12 million.

So far, Ronin has experienced three security incidents. If the $624 million stolen by hackers from the Ronin cross-chain bridge two years ago (in 2022) was an accident, and the theft reported in February this year was confirmed to be a "hacker blunder," then the attack on the Ronin cross-chain bridge on August 6 seems to have been expected.

Back in February, when the Ronin co-founder wallet assets were stolen, community users joked, "Ronin won't be attacked for a third time, will it?" However, less than six months after the last security incident, Ronin was indeed attacked by hackers again.

For a crypto project to repeatedly experience security incidents, the security reputation of the project has been lost for community users.

$12 Million Stolen in the Third Attack Has Been Returned

On the evening of August 6, according to PeckShieldAlert monitoring, the Ronin chain was suspected to have been attacked by hackers again, with approximately 4,000 ETH and 2 million USDC transferred, resulting in a loss of nearly $12 million.

In response to this sudden security incident, Ronin co-founder and COO @Psycheout quickly posted that the Ronin bridge had been suspended and that they were investigating the MEV vulnerability discovered by white-hat hackers (programmers who attack systems from the hacker's perspective to identify security flaws). Currently, the $850 million in funds held by the bridge is safe.

Subsequently, Ronin's official social media stated that earlier that day, white-hat hackers had notified them of a potential vulnerability in the Ronin bridge. After verifying the report and discovering abnormal operations on the chain, they suspended the Ronin bridge about 40 minutes later.

The attackers transferred approximately 4,000 ETH and 2 million USDC, valued at around $12 million, which is also the maximum amount of ETH and USDC that can be withdrawn from the Ronin bridge in a single transaction. The previously set withdrawal limits effectively prevented greater damage from the vulnerability.

Regarding this hacker attack, Ronin stated that an issue was introduced during the governance process of the cross-chain bridge contract upgrade, leading to a misunderstanding of the operator voting threshold required for withdrawing funds.

Ronin claimed that this attack was more like a white-hat hacker incident, and they have been negotiating with them. The white-hat hackers have made a goodwill response, and regardless of the negotiation outcome, all user funds are safe, and any shortfall will be replenished when the bridge reopens.

According to the Beosin security team's analysis of this security incident, the root cause of Ronin's abnormal behavior was that the project team did not properly initialize the operator weights required for cross-chain transaction confirmations during the contract upgrade, allowing anyone's signature to pass cross-chain verification, which hackers exploited.

Ultimately, this security incident for Ronin ended with the "hacker returning the stolen assets valued at $12 million."

In the latest announcement released on August 7, Ronin confirmed that the hacker attack on August 6 was indeed carried out by white-hat hackers, who ultimately returned the approximately 4,000 ETH and 2 million USDC that were transferred away, and stated that they would reward the white-hat hackers with a bounty of $500,000.

Meanwhile, the Ronin bridge will undergo an audit before reopening and will launch new solutions with Ronin validators to change the current operation of the cross-chain bridge.

As of August 12, the Ronin cross-chain bridge has not reopened to users, with $750 million worth of crypto assets locked on the network, and the current price of RON is reported at $1.44.

Although this attack on Ronin was carried out by white-hat hackers, who ultimately returned the stolen funds, seemingly resolving the security crisis perfectly, community users are not convinced.

Community user @Futuresight questioned that according to Ronin's official statement, it was white-hat hackers testing, but white-hat hackers usually inform the project team of vulnerabilities in advance rather than directly stealing their assets.

Crypto KOL @Chen Jian Jason also posted on social media that right after Ronin's "being hacked" negative news was released, the price of RON token actually spiked, taking away those who had opened high-leverage short positions.

This has led community users to suspect whether it is possible that the project team is colluding with the hackers to manipulate the token price.

Celi, who once participated in staking on the Ronin network, told ChainCatcher that even if this time it was the work of white-hat hackers, such behavior has caused significant reputational damage to Ronin, and users' trust in its security has weakened again.

She explained that smart contract upgrades, especially cross-chain bridge upgrades, must undergo thorough checks before going live, and the project team cannot have any complacency, risking such a large amount of funds. Fortunately, Ronin's losses were controlled this time; otherwise, the project's losses would have been greater.

Repeatedly Attacked by Hackers, Ronin's Security Reputation Has Been Lost

In the crypto space, hacker attacks are common, and it is not surprising to incur losses of tens of millions of dollars. According to the latest data released by security auditing firm Beosin, the total loss amount due to hacker attacks in the Web3 ecosystem in July reached $286 million, with cross-chain transaction aggregator LI.FI losing approximately $11.6 million due to contract vulnerabilities.

For Ronin's recent hacker attack, crypto community users seem to have long anticipated it. Back in February, when Ronin was rumored to have been attacked, community users joked, "There won't be a third attack, will there?" Therefore, regarding this security incident, users are more lamenting that Ronin has been attacked three times in a row; in the crypto field, Ronin is the first.

In March 2022, the Ronin network became the focus of the largest-scale hacker attack in the crypto field, with hackers successfully controlling five of the nine validators on the Ronin network and stealing $624 million worth of ETH and USDC, becoming one of the largest DeFi hacker attacks in crypto history and the most severe security incident in the blockchain gaming sector. Even more outrageous, six days after the funds were stolen, and after community reminders, the Ronin official finally noticed the vulnerability.

After this crisis, the Ronin network remained in a prolonged state of decline, with the RON token staying below $1 until February this year when the Web3 farming game Pixel's token PIXEL was launched on Binance, and various benefits were airdropped to Ronin network stakers, which brought renewed attention from the crypto community to the Ronin network.

However, just as the popular project Pixel was clearing away the shadow of Ronin's theft, the Ronin network was once again rumored to have been attacked by hackers.

In February, the Web3 security team Ancilia.nc stated on social media that they had detected approximately $10 million worth of RON being withdrawn from the Ronin bridge and deposited into Tornado in a short period.

Soon, Ronin co-founder Psycheout responded that there were no issues with Ronin or the cross-chain bridge; it was just a whale wallet that had been hacked and mixed through Tornado Cash, and the hacked whale turned out to be Jihoz, co-founder of Axie Infinity and Ronin Network.

Although Jihoz stated that it was only a personal address that had been attacked and was unrelated to Ronin chain's validation or operational activities, it was a case of hacker blunder, it still left an imprint of Ronin's second hacker attack in the minds of community users. Coupled with this incident being due to a vulnerability during the cross-chain bridge upgrade, once again being attacked by hackers, although the crisis was ultimately resolved, users' trust in Ronin has completely eroded, and every mention of Ronin brings to mind the first keyword: easy to hack.

So when the Ronin was attacked for the third time on August 6, users were more lamenting that they were already affected by PTSD from previous thefts, and now they were really attacked again? Having been hacked in the past, now attacked again, will there be another theft next time?

Moreover, some community users raised questions about how a cross-chain bridge could be attacked so frequently; is it a failure of security technology or a failure of the team's technical capabilities?

However, crypto user Lisa holds a different view. She believes that the Ronin bridge was targeted because it locked or held a large amount of user assets, making it a favorite target for hackers. She explained that three of the five largest cryptocurrency hacker attacks in history were related to cross-chain bridges. In addition to the Ronin bridge theft, the BNB bridge was exploited in 2022, stealing approximately $586 million, and the Wormhole bridge also suffered a vulnerability attack in February of the same year, resulting in a loss of $326 million.

As of August 12, the number of Ronin network validator nodes has increased from the initial 9 to 21, and the transfer limit for each transaction on the cross-chain bridge has been restricted. Currently, the number of RON staked on the network has reached 2.08 billion.

The Ronin Chain Game Ecosystem Remains Promising

According to Token Terminal data, Ronin's daily active users recently ranked first among all public chain networks, surpassing Tron and Solana, with daily active users exceeding 2 million. On August 1, the number of daily active wallets on the Ronin chain reached 2.3 million, and the daily transaction volume reached 3.5 million, setting a new historical record.

@Bailey.ron, who previously worked at DeFiance Capital and is now responsible for the Ronin ecosystem, stated that Ronin is one of the few crypto projects dedicated to and achieving true consumer adoption.

In addition to the excellent performance of on-chain user data, several well-known games have launched within the Ronin ecosystem.

In addition to the classic Axie Infinity and Pixels, there are also farm survival game Lumiterra, hero shooting game The Machines Arena, mech shooting game Kaidro, strategy game Wild Forest, role-playing game Runiverse, and card duel chain game Apeiron, among others.

Moreover, more and more game choices are migrating to Ronin, such as Runiverse, which announced its migration to the Ronin network in July, and Kaidro, which was originally based on Immutable, while Pixels also migrated from Polygon.