JAKARTA - The team behind the Raydium Decentralized Exchange (DEX) has announced details of how the hack occurred on December 16 and offered proposals to compensate victims of the hack.
According to an official team forum post, hackers could generate more than $2 million in crypto looted funds exploiting vulnerabilities in DEX smart contracts that allow the entire collection of liquidity to be withdrawn by admins, despite protection that prevents such behavior.
The team will use its unlocked tokens to compensate victims who lost the Raydium token, also known as the RAY. However, developers do not have stablecoins and other non-RAY tokens to compensate victims, thus asking for a vote from the RAY holder to use the treasury of the decentralized autonomous organization (DAO) to buy missing tokens to pay those affected by the exploit.
1/ Update on remediation of funds for recent exploit First, thanks for everyone's patience up to nowAn initial proposal on a way forward has been posted for discussion. Raydium encourages and appreciates all feedback on the proposal.https://t.co/NwV43gEuI9
— Raydium (@RaydiumProtocol) December 21, 2022
According to a separate post-mortem report, the attacker's first step in exploiting it was to gain control of the personal keys of the admin pool. The team did not know how this key was obtained, but it was suspected that the virtual machine that kept the key was infected with the trojan program.
Once the attackers have the key, they call for a function to charge the transaction fee that usually goes into the DAO treasury for repurchase of the RAY.
At Raydium, transaction fees do not automatically enter the treasurer at the time of exchange. Instead, they remain in the collection of liquidity providers until withdrawn by the admin. However, smart contracts track the amount of fees owed to DAO via parameters.
This should prevent attackers from attracting more than 0.03% of the total trading volume that has occurred in each pool since the last recall.
However, due to a defect in the contract, the attacker can change the parameters manually, making it appear that the entire collection of liquidity is the transaction fee that has been collected. This allows the attacker to withdraw all the funds.
Once the funds are withdrawn, according to a Cointelegraph report, the attacker can exchange it manually with another token and transfer the proceeds to another wallet under the control of the attacker.
In response to the exploit, the team has upgraded the application's smart contract to remove admin control over parameters exploited by attackers.
In a December 21 forum post, developers proposed plans to compensate the victims of the attack. The team will use an unlocked RAY token to compensateRAY holders who lost their tokens due to the attack.
They have asked for a forum discussion on how to implement a compensation plan using the DAO treasury to buy the missing non-RAY tokens. The team asked for a discussion to be held for three days to decide on the matter.
The $2 million Raydium hack was first discovered on December 16. Initial reports said that attackers had used a crude_pnl function to remove liquidity from the pool without depositing LP tokens. But since this function should only allow attackers to remove transaction fees, the actual method they can use to drain entire pools is unknown until an investigation is carried out.
The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)
