The attacker used a vulnerability that let whole liquidity pools be taken out as"fees."
The Hacking
The Raydium decentralized exchange (DEX) team has disclosed specifics on the incident that happened on December 16 and has put up a suggestion to make amends for victims. According to a team forum post (1), the hacker could escape with more than $2 million in cryptocurrency loot by taking advantage of a flaw in the DEX's smart contracts that allowed administrators to withdraw entire liquidity pools despite existing safeguards being intended to prevent such behavior.
The team will utilize its unlocked tokens to repay victims who lost Raydium tokens, commonly known as RAY. Nevertheless, the creator does not have the stablecoin and other non-RAY tokens to compensate victims; thus, it requests a vote from RAY holders to utilize the DAO treasury to purchase the lacking tokens to repay individuals harmed by the exploit.
1/ Update on remediation of funds for recent exploit
— Raydium (@RaydiumProtocol) December 21, 2022
First, thanks for everyone's patience up to now
An initial proposal on a way forward has been posted for discussion. Raydium encourages and appreciates all feedback on the proposal.https://t.co/NwV43gEuI9
The attacker took over an admin pool private key as part of the vulnerability, according to a different post-mortem report (2). The team does not know how this key was obtained, but it has a suspicion that a trojan application was installed on the virtual computer that housed the key. Once they got the key, the assailant called a function to remove transaction fees that would typically be sent to the DAO's Treasury to be used for RAY buybacks.
The compensation process
Transaction costs on Raydium do not instantly transfer to the Treasury after an exchange. Instead, they hang out in the pool of the liquidity provider until an admin takes them out. However, the smart contract uses parameters to keep track of the fees owing to the DAO. The attacker shouldn't have been able to withdraw more than 0.03% of the entire trading volume that had taken place in each pool since the last withdrawal because of this. However, the attacker was able to manually alter the parameters due to a contract fault, giving the impression that the whole liquidity pool was made up of transaction fees. The assailant was able to take all of the money as a result. The attacker was able to withdraw the money after it was withdrawn manually. Change them for different tokens, then move the proceeds to other wallets controlled by the attacker.
An exploit on Raydium is being investigated that affected liquidity pools. Details to follow as more is known
— Raydium (@RaydiumProtocol) December 16, 2022
⁰Initial understanding is owner authority was overtaken by attacker, but authority has been halted on AMM & farm programs for now
Attacker accnthttps://t.co/ZnEgL1KSwz
The team has updated the app's smart contracts in response to the vulnerability to eliminate admin control over the parameters misused by the attacker. The developers put up a strategy to make amends for attack victims in the forum post on December 21. The team will utilize its own unlocked RAY tokens to recompense RAY holders who lost their tokens due to the attack. It has requested a forum debate on how to carry out a compensation scheme that uses the DAO's Treasury to pay for lost non-RAY tokens. The group is requesting that the matter be decided after a three-day deliberation.
The $2,000,000 Raydium On December 16, a hack was initially uncovered. Initial reports claimed that the attacker had removed liquidity from pools without depositing LP tokens via the withdraw function. However, since the attacker should only have been able to withdraw transaction fees using this function, it wasn't until after an investigation that it became clear how they could drain whole pools.
