After successfully acquiring access to the Pool Owner (Admin) account on December 16, 2022, at 12:12 UTC, a malicious actor started an exploit on the authority account of the Raydium Liquidity Pool V4 at the same time. OtterSec has published its initial overview of the attack’s scope.
Following up on the recent vulnerability in the Raydium Liquidity Pool, Raydium has just issued a comprehensive update. The purpose of this detailed post-mortem is to make an attempt to provide an in-depth overview of how the exploit was carried out, how the problem was mitigated, and the next measures that will be taken.
Background of the Exploit and Latest Details
Initially, the Pool Owner account was deployed on a virtual machine with a specialized internal server. After conducting further research, it has been determined that there is no evidence to suggest that the private key associated with the Pool Owner account has ever been distributed, shared, transferred, or kept locally anywhere other than the virtual machine on which it was initially placed.
An investigation into the company’s internal security is currently underway in order to ascertain the nature of the account breach as well as the underlying reason for it. At first glance, it appears as though the attacker may have obtained remote access to either the virtual machine or the internal server where the account was deployed. It has not yet been determined which specific vector of intrusion was used. However, one hypothesis is that it was a trojan attack.
The Raydium exploiter account appears to be involved in additional illegal conduct on Solana, according to an initial investigation into the matter. An indication of this can be found in a tweet that was posted by cloudzy.sol on November 7 and describes a wallet exploit that resulted in 198 SOL being stolen. These stolen funds eventually made their way into the same account that was used to fund the primary Raydium exploiter wallet.
The attacker gained access to eight continuous product liquidity pools on Raydium and stole a combined amount of about $4.4 million worth of funds. The exploit has no effect on concentrated liquidity pools or RAY staking programs because of how they were designed. The exploit did not have any effect on any of the other pools or funds available on Raydium.
Different assets were moved by the attacker from impacted pools while the vulnerability was being used. The ‘Base’ token is the one that is located on the left side of the token pair, while the ‘Quote’ token is the one that is located on the right side of the token pair (usually stablecoin or SOL). You may see a complete listing of the funds that were stolen along with the transaction history at this link: https://github.com/raydium-io/dec_16_exploit. The breach of security was carried out in two stages.
First of all, the withdrawPNL instruction is in place to collect protocol fees for RAY buybacks. It is based on a predefined amount of assets that are determined by need take pc and need take coin, and it should be equivalent to 12% of the pool’s total earnings from fees or 3bps of the 25bps earned from swap transactions. This function was utilized by the attacker in order to remove funds (which were designated as fees) from the pool vault. The need take pc and need take coin calculations are both immediately reset to zero when the withdrawPNL command has been executed.
The second thing the attacker did was use the SetParams instruction in conjunction with the AmmParams::SyncNeedTake function to artificially inflate the balances for need take pc and need take coin. This allowed the attacker to change and increase the expected fees, and then repeatedly withdraw funds that were designated as fees from the pool vault using the withdrawPNL function.
Raydium’s Initial Mitigation of Exploit and Security Steps
At 14:16 UTC on December 16, 2022, Raydium issued a hot patch, also known as a stub, which is also known as a controllable substitute for an existing dependence for all of the applications. In other words, the authorization of the compromised account (HggGrUeg4ReGvpPMLJMFKV69NTXL1r4wQ9Pk9Ljutwyv) has been revoked, and it has been updated to a new account that is held on a hardware wallet.
The fix removed the attacker’s permission and ability to continue exploiting the pools, which withdrew their authority. At 10:27 UTC on December 17, the Raydium AMM V4 program was upgraded using Squads multisig to remove extraneous admin options that, if compromised, might potentially have an influence on money. AmmParams::MinSize, AmmParams::SyncLp, AmmParams::SetLpSupply, AmmParams::SyncK, and AmmParams::SyncNeedTake are the parameters that have been removed.
In addition, all of the admin parameters for Raydium Stable Pools, Raydium Acceleraytor, and Raydium DropZone have been removed. At approximately 15:00 UTC on December 17, all of the remaining administrative parameters, including the withdrawPNL function, were upgraded to the Squads multisig that is now being utilized for program upgrades.
Future Measures to Mitigate The Situation
Raydium is simultaneously moving closer to the next level in two different arenas. To begin, the challenge is in correctly assessing the impact that the hack has on the pools that store user LP balances. Raydium is now taking snapshots and compiling data for all LP balances and matching position sizes before the hack happened. Additionally, the company is extrapolating the difference in original balances that occurred as a direct result of the vulnerability.
For the purpose of determining a viable solution for moving forward, it is vital to ensure that an exact account of balances is determined. It is going to take some time before precise information can be obtained for all accounts and LP balances in the pools that are being affected. Second, it is monitoring the wallets of the attackers and looking into other possibilities for the recovery of the funds.
Raydium has been in communication with a number of Solana teams, third-party auditors, and centralized exchanges, all of which have provided support as well as potential leads in reference to the attacker and associated accounts. Even while there is no conclusive evidence as of yet, there is mounting evidence that links the wallets that were used in the exploit to previous NFT rug projects as well as the malicious draining of user wallets.
Raydium will keep in contact with the necessary teams and security specialists in order to investigate other potential channels for the recovery of lost funds. In exchange for returning funds, Raydium is providing a 10% bonus as an incentive. In addition to the standard bounty, Raydium offers the RAY balance that was compromised.
There is still work to be done to determine the total impact on the balances and funds held by individual users of LPs. Even though Raydium is aware that all involved parties are experiencing apprehension regarding the funds at issue, additional time is required to compile the necessary facts and information before any of the potential courses of action can be evaluated.