Table of Contents
On the 8th of September, 2022, Ragnarok Online Invasion (ROI), a cryptocurrency deployed on the Binance Smart Chain (BSC BEP-20), experienced a significant security breach.
This incident, which resulted in the theft of approximately 158 BNB, was attributed to a critical access control vulnerability within the ownership transfer function of the ROI contract.
About ‘Ragnarok Online Invasion’ (ROI)
Ragnarok Online Invasion (ROI) is a digital token designed to represent the emerging GameFi and NFT video game titled “Ragnarok Online.” Operating on the Binance Smart Chain (BSC BEP-20), ROI has gained prominence within the blockchain gaming community.
Vulnerability Analysis & Impact
The breach in question stemmed from a relatively straightforward access control issue. Specifically, the contract lacked essential access controls such as the “OnlyOwner” modifier or “onlyAdmin” restrictions to safeguard against malicious actors accessing the transferOwnership function. A portion of the vulnerable code is presented below:
Token Contract: 0xE48b75dc1b131fd3A8364b0580f76eFD04cF6e9c
Hacker Add: 0x91b7F203ED71C5eCCF83b40563e409D2F3531114
The attacker initiated the breach by invoking the OwnershipTransferred function, effortlessly transferring ownership of the contract to the address “0x158af3d23d96e3104bcc65b76d1a6f53d0f74ed0.”
- The attacker executed a series of transactions
- Exchanged ROI tokens for BUSD tokens
- Converted BUSD tokens into BNB tokens
Finally, the attacker invoked the withdrawal function successfully, resulting in the withdrawal of approximately 162.5 BNB, equivalent to approximately $47,384.
Hacker’s Wallet for Transferring Stolen Funds
Compromised ROI token contract
The Aftermath of the Exploit
Following the security breach, the ROI token’s value plummeted by nearly 99%.
This security incident underscores the importance of implementing robust access control mechanisms. Although the project did incorporate an “onlyOwner” modifier within the contract, it was not effectively employed within the transferOwnership functions, ultimately enabling this attack to transpire.
The addition of the “onlyOwner” modifier to the transferOwnership function could have effectively mitigated this breach.
In conclusion, the Ragnarok Online Invasion (ROI) hack of September 7, 2022, serves as a cautionary tale highlighting the necessity of stringent security practices and vigilant oversight within the blockchain space. The exploitation of an access control vulnerability resulted in significant financial losses and a severe devaluation of the ROI token.
It is imperative for blockchain projects to continuously prioritize security and conduct thorough code audits to prevent such incidents in the future.