cft

Deep dive into the Raydium Hack

The Raydium attacker appears to have used the protocol’s own private keys to drain liquidity pools. It’s unclear how they got them.


user

Devendra Singh Khati

a year ago | 2 min read

Raydium, a Solana-based AMM, lost $4.4M in fees from its liquidity pools on Friday.

The DEX aggregator PRISM raised the alarm, as did Solana:

A wallet appears to be draining LP Pools from Raydium liquidity pools while using the admin wallet as a signer and not having/burning LP tokens.

We withdrew the protocol because Raydium provided PRISM/USDC liquidity.

https://twitter.com/QuillAudits/status/1604004700613128192

WITHDRAW YOUR RAYDIUM PRISM/USDC LIQUIDITY
The announcement came 40 minutes later, stating that "authority has been halted on AMM & farm programmes for now". The team assured users in a subsequent post that "a patch is in place preventing further exploits from the attacker."

While this incident has not resulted in a complete protocol breakdown, losing millions is never good.

But who is still using Solana?

SOL address of the attacker AgJddDJLt17nHyXDCpyGELxwsZZQPqfUsuwzoiqVGJwD

The attacker's ETH address: 0x7047912c295cd54d6617b5d0d6d8b324a11c91db

Raydium and OtterSec are credited.

According to OtterSec, the incident appears to have been caused by a compromised private key to the Raydium contracts' owner account.

Raydium suspects "a trojan attack and compromised private key for the pool owner account".

The account had access to certain Raydium pool functions, allowing the attacker to drain accumulated trading/protocol fees using the withdraw pnl instruction. The hacker also altered the SyncNeedTake parameter to raise standard prices and withdraw additional funds.

The following pools were affected, resulting in a $4.4 million protocol loss:

  • SOL-USDC
  • SOL-USDT
  • RAY-USDC
  • RY-USDT
  • RAY-SOL
  • stSOL-USDC
  • ZBC-USDC
  • UXP-USDC
  • whETH-USDC

The vast majority of funds have been bridged to Ethereum, swapped to ETH, and deposited into Tornado Cash. The attacker's Solana address still has 100k SOL ($1.4M).

As with all cases of "compromised keys," we must consider whether this was an insider looking for a quick buck. In this context, the bear market promises a long and difficult road ahead for many smaller teams...

Solana's future appears to be uncertain.

Following the demise of FTX and the now-imprisoned SBF, with whom the ecosystem was so inextricably linked, it's easy to see how an ecosystem developer might be sick from the fallout and be tempted to take the easy way out.

We'll probably never know, as with many cases we've discussed.

About QuillAudits

QuillAudits is a leading smart contract audit firm committed to securing Blockchain projects with our cutting-edge Web3 security solutions. We provide smart contracts auditing and DApps pen testing services for web3-based, Defi and NFT-based gaming projects. Since our inception four years ago, we have secured 700+ projects globally and saved $15B+ in the process; we continue to deliver enterprise-grade blockchain technology and state-of-the-art security solutions to leading companies and projects worldwide.

Community

Twitter: https://twitter.com/QuillAudits

Telegram: https://t.me/quillaudits_official

Discord: https://discord.gg/wNYvWva977

Upvote


user
Created by

Devendra Singh Khati

As a writer and copywriter, I've recently focused on making blockchain more accessible to those who are unfamiliar with the technology. As someone who has been around for a while, I understand how difficult it can be to avoid technical jargon when explaining any blockchain concept.


people
Post

Upvote

Downvote

Comment

Bookmark

Share


Related Articles