Raydium announces details of hack, proposes compensation for victims

Published at: Dec. 21, 2022

The team behind the Raydium decentralized exchange (DEX) has announced details as to how the hack of Dec. 16 occurred and offered a proposal to compensate victims.

According to an official forum post from the team, the hacker was able to make off with over $2 million in crypto loot by exploiting a vulnerability in the DEX’s smart contracts that allowed entire liquidity pools to be withdrawn by admins, despite existing protections being to prevent such behavior. 

The team will use its own unlocked tokens to compensate victims who lost Raydium tokens, also known as RAY. However, the developer does not have the stablecoin and other non-RAY tokens to compensate victims, so it is asking for a vote from RAY holders to use the decentralized autonomous organization (DAO) treasury to buy the missing tokens to repay those affected by the exploit.

1/ Update on remediation of funds for recent exploit First, thanks for everyone's patience up to nowAn initial proposal on a way forward has been posted for discussion. Raydium encourages and appreciates all feedback on the proposal.https://t.co/NwV43gEuI9

— Raydium (@RaydiumProtocol) December 21, 2022

According to a separate post-mortem report, the attacker’s first step in the exploit was to gain control of an admin pool private key. The team does not know how this key was obtained, but it suspects that the virtual machine that held the key became infected with a trojan program.

Once the attacker had the key, they called a function to withdraw transaction fees that would normally go to the DAO’s treasury to be used for buybacks of RAY. On Raydium, transaction fees do not automatically go to the treasury at the moment of a swap. Instead, they remain in the liquidity provider’s pool until withdrawn by an admin. However, the smart contract keeps track of the amount of fees owed to the DAO through parameters. This should have prevented the attacker from being able to withdraw more than 0.03% of the total trading volume that had occurred in each pool since the last withdrawal.

Nevertheless, because of a flaw in the contract, the attacker was able to manually change the parameters, making it appear that the entire liquidity pool was transaction fees that had been collected. This allowed the attacker to withdraw all of the funds. Once the funds were withdrawn, the attacker was able to manually swap them for other tokens and transfer the proceeds to other wallets under the attacker’s control.

Related: Developer says projects are refusing to pay bounties to white hat hackers

In response to the exploit, the team has upgraded the app’s smart contracts to remove admin control over the parameters that were exploited by the attacker.

In the Dec. 21 forum post, the developers proposed a plan to compensate victims of the attack. The team will use its own unlocked RAY tokens to compensate RAY holders who lost their tokens due to the attack. It has asked for a forum discussion on how to implement a compensation plan using the DAO’s treasury to purchase non-RAY tokens that have been lost. The team is asking for a three-day discussion to take place to decide the issue.

The $2 million Raydium hack was first discovered on Dec. 16. Initial reports said that the attacker had used the withdraw_pnl function to remove liquidity from pools without depositing LP tokens. But since this function should have only allowed the attacker to remove transaction fees, the actual method by which they could drain entire pools was not known until after an investigation had been conducted.

Tags
Related Posts
BSC's Impossible Finance raises $7M for multi-chain DeFi incubator
Impossible Finance, a Defi protocol built on Binance Smart Chain, has completed a $7 million seed funding round backed by over 125 institutional and angel investors — with the funds going towards the development of a multi chain DeFi incubator. The seed round was led by venture capital firm True Ventures, and quantitative investment firm Alameda Research, blockchain development firm Hashed and investment firm CMS Holdings. Impossible Finance was launched on BSC on April 9, and the protocol currently offers DeFi investors token swaps, liquidity pools, and staking rewards through the Impossible Finance (IF) token The new funding will go …
Business / June 4, 2021
Web3 is the solution to Uber’s problem with hackers
Uber is a staple of the gig economy, for better or worse, and a disruptor that once sent shockwaves throughout the mobility space. Now, however, Uber is being taken for a ride. The company is handling a reportedly far-reaching cybersecurity breach. According to the ride-hailing giant, the attacker has not been able to access sensitive user data, or at least, there is no evidence to suggest otherwise. Whether or not sensitive user data was exposed, this case points to a persistent issue with today’s apps. Can we continue to sacrifice our data — and thereby our privacy and security — …
Defi / Oct. 1, 2022
Ankr says ex-employee caused $5M exploit, vows to improve security
A $5 million hack of Ankr protocol on Dec. 1 was caused by a former team member, according to a Dec. 20 announcement from the Ankr team. The ex-employee conducted a “supply chain attack” by putting malicious code into a package of future updates to the team’s internal software. Once this software was updated, the malicious code created a security vulnerability that allowed the attacker to steal the team’s deployer key from the company’s server. After Action Report: Our Findings From the aBNBc Token Exploit We just released a new blog post that goes in-depth about this: https://t.co/fyagjhODNG A pic.twitter.com/d6psUbpxNY …
Defi / Dec. 21, 2022
Crypto exploit losses in January see nearly 93% year-on-year decline
Aside from the bullish crypto market rally in January, there’s been more positive industry news as the month saw a decline in losses from exploits compared to the same time last year. According to data from blockchain security firm PeckShield on Jan. 31, there were $8.8 million in losses from crypto exploits in January. There were 24 exploits over the month, with $2.6 million worth of crypto being sent to mixers such as Tornado Cash. The breakdown of assets sent to mixers includes 1,200 Ether (ETH) and around 2,668 BNB (BNB). The January figures are 92.7% lower than the $121.4 …
Defi / Feb. 1, 2023
CoW Swap hacker milks over 550 BNB using 'solver' exploit
Decentralized exchange (DEX) protocol CoW Swap recently suffered an attack, losing at least 550 BNB (BNB) in a contract exploit that approved fund transfers from the protocol. Blockchain surveyor MevRefund flagged the event and detected that the funds seemed to be moving away from CoW Swap. The MEV searcher warned the DEX and its users of the exploit in a Twitter thread. @CoWSwap your funds appear to be moooving away ...https://t.co/li1NkXNeUp — MevRefund (@MevRefund) February 7, 2023 According to the Smart contract auditing firm BlockSec, a wallet address was added as a “solver” of CoW Swap by a multisig. Then, …
Defi / Feb. 7, 2023