Solana-based decentralized finance protocol Raydium announced Initial Post-Mortem on its 7-figure exploit. As of now, a patch is in place preventing further exploits from the attacker.

"The exploit appears to stem from a trojan attack and compromised private key for the pool owner account." Raydium wrote in its Tweet, "Previous owner authority has been revoked and all program accounts have been updated to new hard wallet accounts. As such, the attacker no longer has access authority and is no longer able to exploit the pools".

"If the attacker returns the funds, 10% of the total amount will be offered and considered as a white-hat bug bounty. " Raydium added.

 In earlier report, Raydium has suffered an exploit, around $2 million worth of different cryptocurrencies was sitting in the account of an attacker that managed to maliciously withdraw user funds from Raydium exchange pools.

“Initial understanding is owner authority was overtaken by attacker, but authority has been halted on AMM & farm programs for now,” Raydium said on Tweet.

Full thread from @RaydiumProtocol on Twitter:

1/ Initial Post-Mortem: Raydium is working w 3rd-party auditors and teams across Solana to gather additional info. As of now, a patch is in place preventing further exploits from the attacker.

The following includes info up to now. Big thanks to all teams providing support

2/ Raydium’s upgrade authority is held by a @SquadsProtocol multisig. This attack was not related to upgrade authority on the program itself. The exploit appears to stem from a trojan attack and compromised private key for the pool owner account.

3/ The attacker accessed the pool owner account and was then able to call the withdrawalPNL function, a function used to collect trading/protocol fees earned by swaps in pools.

4/ The hacker was also able to set the SyncNeedTake parameters to change the out_put.need_take_pnl for quote and base tokens in the affected pools in order to modify expected fees and then withdraw those amounts.

5/ Pools affected:

SOL-USDC

SOL-USDT

RAY-USDC

RAY-USDT

RAY-SOL

stSOL-USDC

ZBC-USDC

UXP-USDC

whETH-USDC

Approx total funds exploited by attacker

RAY 1,879,638

stSOL 3,214

whETH 39.3

USDC 1,094,613

SOL120,512

UXP 21,068,507

ZBC9,758,647

USDT110,427

Total USD: ~4,395,237

6/ As an immediate solution, previous owner authority has been revoked and all program accounts have been updated to new hard wallet accounts. As such, the attacker no longer has access authority and is no longer able to exploit the pools.

7/ If the attacker returns the funds, 10% of the total amount will be offered and considered as a white-hat bug bounty. The attacker is encouraged to reach out through normal channels or via the below address

0x6d3078ED15461E989fbf44aE32AaF3D3Cfdc4a90

8/ Thank you to the Solana community for the support, specifically @solanafm@HelloMoon_io@wormholecrypto@osec_io and exchanges that blacklisted the hacker’s associated addresses. More details will follow as they become available. Everyone's support is greatly appreciated1334