Raydium announces details of hack, proposes compensation for victims

The squad down the Raydium decentralized speech (DEX) has announced details arsenic to however the hack of Dec. 16 occurred and offered a connection to compensate victims.

According to an authoritative forum station from the team, the hacker was capable to marque disconnected with implicit $2 cardinal successful crypto loot by exploiting a vulnerability successful the DEX’s astute contracts that allowed full liquidity pools to beryllium withdrawn by admins, contempt existing protections being to forestall specified behavior. 

The squad volition usage its ain unlocked tokens to compensate victims who mislaid Raydium tokens, besides known arsenic RAY. However, the developer does not person the stablecoin and different non-RAY tokens to compensate victims, truthful it is asking for a ballot from RAY holders to usage the decentralized autonomous enactment (DAO) treasury to bargain the missing tokens to repay those affected by the exploit.

— Raydium (@RaydiumProtocol) December 21, 2022

According to a abstracted post-mortem report, the attacker’s archetypal measurement successful the exploit was to gain power of an admin excavation backstage key. The squad does not cognize however this cardinal was obtained, but it suspects that the virtual instrumentality that held the cardinal became infected with a trojan program.

Once the attacker had the key, they called a relation to retreat transaction fees that would usually spell to the DAO’s treasury to beryllium utilized for buybacks of RAY. On Raydium, transaction fees bash not automatically spell to the treasury astatine the infinitesimal of a swap. Instead, they stay successful the liquidity provider’s excavation until withdrawn by an admin. However, the astute declaration keeps way of the magnitude of fees owed to the DAO done parameters. This should person prevented the attacker from being capable to retreat much than 0.03% of the full trading measurement that had occurred successful each excavation since the past withdrawal.

Nevertheless, due to the fact that of a flaw successful the contract, the attacker was capable to manually alteration the parameters, making it look that the full liquidity excavation was transaction fees that had been collected. This allowed the attacker to retreat each of the funds. Once the funds were withdrawn, the attacker was capable to manually swap them for different tokens and transportation the proceeds to different wallets nether the attacker’s control.

Related: Developer says projects are refusing to wage bounties to achromatic chapeau hackers

In effect to the exploit, the squad has upgraded the app’s astute contracts to region admin power implicit the parameters that were exploited by the attacker.

In the Dec. 21 forum post, the developers projected a program to compensate victims of the attack. The squad volition usage its ain unlocked RAY tokens to compensate RAY holders who mislaid their tokens owed to the attack. It has asked for a forum treatment connected however to instrumentality a compensation program utilizing the DAO’s treasury to acquisition non-RAY tokens that person been lost. The squad is asking for a three-day treatment to instrumentality spot to determine the issue.

The $2 cardinal Raydium hack was first discovered connected Dec. 16. Initial reports said that the attacker had utilized the withdraw_pnl relation to region liquidity from pools without depositing LP tokens. But since this relation should person lone allowed the attacker to region transaction fees, the existent method by which they could drain full pools was not known until aft an probe had been conducted.