Solana-based decentralized finance protocol Raydium announced Initial Post-Mortem on its 7-figure exploit. As of now, a patch is in place preventing further exploits from the attacker.
"The exploit appears to stem from a trojan attack and compromised private key for the pool owner account." Raydium wrote in its Tweet, "Previous owner authority has been revoked and all program accounts have been updated to new hard wallet accounts. As such, the attacker no longer has access authority and is no longer able to exploit the pools".
"If the attacker returns the funds, 10% of the total amount will be offered and considered as a white-hat bug bounty. " Raydium added.
In earlier report, Raydium has suffered an exploit, around $2 million worth of different cryptocurrencies was sitting in the account of an attacker that managed to maliciously withdraw user funds from Raydium exchange pools.
“Initial understanding is owner authority was overtaken by attacker, but authority has been halted on AMM & farm programs for now,” Raydium said on Tweet.
Full thread from @RaydiumProtocol on Twitter:
1/ Initial Post-Mortem: Raydium is working w 3rd-party auditors and teams across Solana to gather additional info. As of now, a patch is in place preventing further exploits from the attacker.
The following includes info up to now. Big thanks to all teams providing support
2/ Raydium’s upgrade authority is held by a @SquadsProtocol multisig. This attack was not related to upgrade authority on the program itself. The exploit appears to stem from a trojan attack and compromised private key for the pool owner account.
3/ The attacker accessed the pool owner account and was then able to call the withdrawalPNL function, a function used to collect trading/protocol fees earned by swaps in pools.
4/ The hacker was also able to set the SyncNeedTake parameters to change the out_put.need_take_pnl for quote and base tokens in the affected pools in order to modify expected fees and then withdraw those amounts.
5/ Pools affected:
SOL-USDC
SOL-USDT
RAY-USDC
RAY-USDT
RAY-SOL
stSOL-USDC
ZBC-USDC
UXP-USDC
whETH-USDC
Approx total funds exploited by attacker
RAY 1,879,638
stSOL 3,214
whETH 39.3
USDC 1,094,613
SOL120,512
UXP 21,068,507
ZBC9,758,647
USDT110,427
Total USD: ~4,395,237
6/ As an immediate solution, previous owner authority has been revoked and all program accounts have been updated to new hard wallet accounts. As such, the attacker no longer has access authority and is no longer able to exploit the pools.
7/ If the attacker returns the funds, 10% of the total amount will be offered and considered as a white-hat bug bounty. The attacker is encouraged to reach out through normal channels or via the below address
0x6d3078ED15461E989fbf44aE32AaF3D3Cfdc4a90
8/ Thank you to the Solana community for the support, specifically @solanafm@HelloMoon_io@wormholecrypto@osec_io and exchanges that blacklisted the hacker’s associated addresses. More details will follow as they become available. Everyone's support is greatly appreciated1334
All Comments