The team behind the Raydium decentralized exchange (DEX) has announced details as to how the hack of Dec. 16 occurred and offered a proposal to compensate victims.
According to an official forum post from the team, the hacker was able to make off with over $2 million in crypto loot by exploiting a vulnerability in the DEX’s smart contracts that allowed entire liquidity pools to be withdrawn by admins, despite existing protections being to prevent such behavior.
The team will use its own unlocked tokens to compensate victims who lost Raydium tokens, also known as RAY. However, the developer does not have the stablecoin and other non-RAY tokens to compensate victims, so it is asking for a vote from RAY holders to use the decentralized autonomous organization (DAO) treasury to buy the missing tokens to repay those affected by the exploit.
1/ Update on remediation of funds for recent exploit
First, thanks for everyone’s patience up to now
An initial proposal on a way forward has been posted for discussion. Raydium encourages and appreciates all feedback on the proposal.https://t.co/NwV43gEuI9
— Raydium (@RaydiumProtocol) December 21, 2022
According to a separate post-mortem report, the attacker’s first step in the exploit was to gain control of an admin pool private key. The team does not know how this key was obtained, but it suspects that the virtual machine that held the key became infected with a trojan program.
Once the attacker had the key, they called a function to withdraw transaction fees that would normally go to the DAO’s treasury to be used for buybacks of RAY. On Raydium, transaction fees do not automatically go to the treasury at the moment of a swap. Instead, they remain in the liquidity provider’s pool until withdrawn by an admin. However, the smart contract keeps track of the amount of fees owed to the DAO through parameters. This should have prevented the attacker from being able to withdraw more than 0.03% of the total trading volume that had occurred in each pool since the last withdrawal.
Nevertheless, because of a flaw in the contract, the attacker was able to manually change the parameters, making it appear that the entire liquidity pool was transaction fees that had been collected. This allowed the attacker to withdraw all of the funds. Once the funds were withdrawn, the attacker was able to manually swap them for other tokens and transfer the proceeds to other wallets under the attacker’s control.
Related: Developer says…
Click Here to Read the Full Original Article at Cointelegraph.com News…
