Raydium team has disclosed the details of the hack on the protocol that took place and has offered a compensation plan for all affected users.
The Raydium decentralized exchange (DEX) team has disclosed specifics regarding the incident that happened on December 16 and has put forth a suggestion to make amends for victims.
According to a team forum post, the hacker was able to escape with more than $2 million in cryptocurrency loot by taking advantage of a flaw in the DEX’s smart contracts that allowed administrators to withdraw entire liquidity pools despite existing safeguards being intended to prevent such behavior.
In order to recompense victims who lost Raydium tokens, also known as RAY, the team will utilize its own unlocked tokens. However, the developer lacks the stablecoin and other non-RAY tokens necessary to compensate victims, therefore it is requesting a vote from RAY holders to utilize the DAO treasury to purchase the necessary tokens and recompense people harmed by the exploit.
An admin pool private key was taken over by the attacker as part of the vulnerability, according to a different post-mortem report. The team does not know how this key was obtained, but it has a suspicion that a trojan application was installed on the virtual computer that housed the key.
Once they got the key, the assailant called a function to remove transaction fees that would typically be sent to the DAO’s treasury to be used for RAY buybacks.
Transaction fees on Raydium do not always go to the Treasury when a swap occurs. Instead, they hang out in the pool of the liquidity provider until an admin takes them out.
However, the smart contract uses parameters to keep track of the fees owing to the DAO. The attacker shouldn’t have been able to withdraw more than 0.03% of the entire trading volume that had taken place in each pool since the last withdrawal because of this.
However, the attacker was able to manually alter the parameters due to a contract fault, giving the impression that the whole liquidity pool was made up of transaction fees.
The attacker was able to take all of the money as a result. After the money was taken out, the hacker was able to manually exchange it for other tokens and then send the money to other wallets that were under his or her control.
The team has updated the app’s smart contracts in response to the exploit to eliminate admin control over the parameters that were misused by the attacker. The developers put up a strategy to make amends for attack victims in the forum post on December 21.
To recompense RAY holders who lost their tokens as a result of the attack, the team will utilize its own unlocked RAY tokens. It has requested a forum discussion on how to carry out a compensation plan that uses the DAO’s treasury to pay for lost non-RAY tokens.
The group is requesting that the matter be decided after a three-day deliberation. On December 16, the $2 million Raydium hack became known. Initial reports claimed that the attacker had removed liquidity from pools without depositing LP tokens via the withdraw_pnl function.
However, since the attacker should only have been able to withdraw transaction fees using this function, it wasn’t until after an investigation had been done that it became clear how they were actually able to drain entire pools.
