QuillHash
Published in

QuillHash

Decoding Ragnarok Online Invasion $44,222 Exploit| QuillAudits

Summary:

On the 8th of September, 2022, Ragnarok Online Invasion($ROI) was attacked. The cause of the attack was a typical access control vulnerability of ownership transfer function. Around 158 BNB (44,222.5 BUSD) was stolen by the hackers in this attack.

Introduction to Ragnarok Online Invasion:

Ragnarok Online Invasion ($ROI) is a cryptocurrency, deployed on Binance Smart Chain(BSC BEP-20). It is a token created to characterize the GameFi or NFT video game called “Ragnarok Online”.

Vulnerability Analysis & Impact:

The cause of this attack was a simple access control issue, which allowed anyone to transfer ownership of the contract. The transferOwnership function has no access controls like OnlyOwner modifier or onlyAdmin to prevent malicious users from calling the function. See the code below.

Vulnerable Code:

You can find the above code here.

The Attack:

  1. First, the attacker called the OwnershipTransferred function and easily transferred the ownership of the function to 0x158af3d23d96e3104bcc65b76d1a6f53d0f74ed0 contract.

2. Now, the attacker swaps $ROI tokens for $BUSD, and then finally swaps $BUSD for $BNB tokens.

3. Then the attacker finally calls withdrawal function and successfully withdraws around 162.5 $BNB which amounts to around $47,384.

After the Exploit :

As a result of the attack, the price of the $ROI token fell by almost 99%. The current price(as of writing this blog) of the $ROI token is $0.0012. The liquidity of the token dropped from $49.6K to $5.5K. See here for more details.

Status of Stolen Funds:
All the stolen funds rest in the hacker’s address. See here for transaction details.

How they could have prevented the Exploit?

This attack could have been prevented by implementing proper access control. Although the project had onlyOwner modifier (see here) in the contract, it was not implemented in transferOwnership functions which led to this attack. Adding onlyOwner modifier in transferOwnership function could have prevented the attack. See Below snippets:

Further Reference / Credit:

https://twitter.com/BlockSecTeam/status/1567746825616236544
https://twitter.com/CertiKAlert/status/1567754904663429123

Similar projects secured by QuillAudits:

Rova Token
Bridge Network

Web3 security- Need of the hour

Why QuillAudits For Web3 Security?

QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of millions in funds.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :

Linkedin | Twitter | Website | Newsletter | Discord | Telegram

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
QuillAudits Team

QuillAudits Team

Smart Contract Auditing Experts , Making web3 a safer place . audits@quillhash.com