Introduction
On the eighth of September, 2022, Ragnarok On-line Invasion (ROI), a cryptocurrency deployed on the Binance Good Chain (BSC BEP-20), skilled a big safety breach.
This incident, which resulted within the theft of roughly 158 BNB, was attributed to a important entry management vulnerability throughout the possession switch perform of the ROI contract.
About ‘Ragnarok Online Invasion’ (ROI)
Ragnarok On-line Invasion (ROI) is a digital token designed to symbolize the rising GameFi and NFT online game titled “Ragnarok Online.” Working on the Binance Good Chain (BSC BEP-20), ROI has gained prominence throughout the blockchain gaming group.
Vulnerability Evaluation & Impression
The breach in query stemmed from a comparatively simple entry management situation. Particularly, the contract lacked important entry controls such because the “OnlyOwner” modifier or “onlyAdmin” restrictions to safeguard in opposition to malicious actors accessing the transferOwnership perform. A portion of the weak code is introduced under:
Assault Particulars
Token Contract: 0xE48b75dc1b131fd3A8364b0580f76eFD04cF6e9c
Hacker Add: 0x91b7F203ED71C5eCCF83b40563e409D2F3531114
Transaction Hash:
0x0e14cb7eabeeb2a819c52f313c986a877c1fa19824e899d1b91875c11ba053b0
0x1c0be5ed5f6b22a0073d4013a15fef38b18786e9acfd5ac1c22bc77bbc13de2a
The attacker initiated the breach by invoking the OwnershipTransferred perform, effortlessly transferring possession of the contract to the tackle “0x158af3d23d96e3104bcc65b76d1a6f53d0f74ed0.”
![Ragnarok On-line Invasion (ROI) Hack—Sep 8, 2022—Detailed Hack Evaluation 1 Ragnarok Online Invasion Exploit 2](https://www.immunebytes.com/blog/wp-content/uploads/2023/09/Ragnarok-Online-Invasion-Exploit-2.png)
Subsequently,
- The attacker executed a sequence of transactions
- Exchanged ROI tokens for BUSD tokens
- Transformed BUSD tokens into BNB tokens
![Ragnarok On-line Invasion (ROI) Hack—Sep 8, 2022—Detailed Hack Evaluation 2 Ragnarok Online Invasion Exploit 3](https://www.immunebytes.com/blog/wp-content/uploads/2023/09/Ragnarok-Online-Invasion-Exploit-3-1024x424.png)
Lastly, the attacker invoked the withdrawal perform efficiently, ensuing within the withdrawal of roughly 162.5 BNB, equal to roughly $47,384.
![Ragnarok On-line Invasion (ROI) Hack—Sep 8, 2022—Detailed Hack Evaluation 3 Ragnarok Online Invasion Exploit 4](https://www.immunebytes.com/blog/wp-content/uploads/2023/09/Ragnarok-Online-Invasion-Exploit-4.png)
Hacker’s Pockets for Transferring Stolen Funds
https://www.bscscan.com/tackle/0x91b7f203ed71c5eccf83b40563e409d2f3531114
Compromised ROI token contract
https://bscscan.com/tackle/0xe48b75dc1b131fd3a8364b0580f76efd04cf6e9c
The Aftermath of the Exploit
Following the safety breach, the ROI token’s worth plummeted by practically 99%.
Prevention Measures
This safety incident underscores the significance of implementing sturdy entry management mechanisms. Though the venture did incorporate an “onlyOwner” modifier throughout the contract, it was not successfully employed throughout the transferOwnership features, finally enabling this assault to transpire.
The addition of the “onlyOwner” modifier to the transferOwnership perform might have successfully mitigated this breach.
In conclusion, the Ragnarok On-line Invasion (ROI) hack of September 7, 2022, serves as a cautionary story highlighting the need of stringent safety practices and vigilant oversight throughout the blockchain house. The exploitation of an entry management vulnerability resulted in vital monetary losses and a extreme devaluation of the ROI token.
It’s crucial for blockchain tasks to repeatedly prioritize safety and conduct thorough code audits to stop such incidents sooner or later.
Author: ImmuneBytes
Date: 2023-08-16 04:25:00