Dec 19, 2022 Frank Stewskid
Raydium released a Post-Mortem on its Friday liquidity pool exploit. According to the blog article, the incident was made possible as the attacker managed to gain access to the liquidity pool’s admin account.
Exploit update: Full medium post below w further details, solutions implemented, and next steps.— Raydium (@RaydiumProtocol) December 17, 2022
Raydium greatly appreciates the support & help received from teams, the community, and security experts across Solana up until now. More to come.https://t.co/DvwQ6gZ1nN
Although an internal security review is underway to determine the exact causes that facilitated the attack, the Raydium team’s initial suspicions are that the attacker managed to gain access to a virtual machine or an internal server where the admin account of Raydium’s V4 Liquidity Pool contract was deployed. The conclusion comes as there is no evidence that the private key for the account was ever passed, shared, transferred, or stored locally outside the virtual machine.
The funds targeted by the attacker include eight constant product liquidity pools. The stolen assets total around $4.4 million and according to Raydium, have been traced to be stored in accounts related to previous NFT “rug-pull” projects, although this information has not been confirmed indubitably.
The exploit happened in two parts. First, the attacker used a function of the smart contract called “withdrawPNL” to withdraw funds from the pool vault, then by utilizing another two functions of the smart contract in conjunction with each other to alter and increase the funds they can withdraw designated as fees via the withdrawPNL function, and finally repeated the process numerous times.
According to the Post-Mortem, the attack started at 10:12 UTC on December 16 and at 14:16 UTC, the same day, Raydium deployed a patch revoking the authority of the compromised account, updating the ownership of the troubled smart contract to a hardware wallet. On the next day, Raydium released more updates to its V4 AMM program, removing various parameters and updating admin permissions to be handled by a multisig used for program updates.
Besides offering a 10% bounty for returning the stolen funds, Raydium also offers the attacker the exploited RAY token balance as an additional reward. Meanwhile, the company will be working with security companies and providing updated information once such becomes available, all while trying to accurately determine the impact of the Raydium exploit on its liquidity pools and user LP balances.