Ronin Bridge Hack - August 2024 ($12M)
Overview
On August 6, 2024, the Ronin bridge experienced a smart contract exploit several hours after an implementation update. The Ronin Network bridge was paused after being hit with a 3,996 Ethereum (ETH) and 2 million USD Coin (USDC) exploit, amounting to nearly $12 million.
The Vulnerability
The root cause of the exploit was a failure to properly initialize the operator weight configuration during the deployment of the latest Ronin Bridge V2 contract. The minimumVoteWeight parameter was set to zero, allowing any signature to pass cross-chain verification.
The MEV Bot and White Hat Aspect
An MEV bot performed a frontrunning attack against other, manual attempts to exploit the vulnerability. As a result, it was able to steal about 4K ETH and 2M USDC, which was the maximum amount that could be withdrawn in a single transaction. Frontrunner Yoink's owner returned most of the funds on the same day, and the Ronin team announced that they would be allowed to keep $500,000 worth as a bug bounty.
Response and Recovery
At 10:15:23 AM UTC, around 38 minutes after the exploit, the contract was paused, and an investigation began. The hacker succeeded in stealing 4,000 Ethereum tokens from the Ronin bridge contract, while 28,270.65 ETH tokens, worth about $72 million, were left on the contract even after the attack. The hacker was unable to steal these funds due to a daily withdrawal limit, which saved the additional $72 million tokens from being stolen.
Sources