Raydium provides details of the hack and proposes compensation for victims
Raydium provides details of the hack and proposes compensation for victims
#Raydium #details #hack #proposes #compensation #victims Welcome to InNewCL, here is the new story we have for you today:
Click Me To View Restricted Videos
The team behind decentralized exchange Raydium (DEX) has released details of how the December 16 hack happened and a proposal to compensate victims.
According to an official forum post by the team, the hacker was able to steal over $2 million worth of crypto loot by exploiting a vulnerability in DEX’s smart contracts that allowed entire pools of liquidity to be withdrawn from admins, despite existing protections preventing this should such behavior.
The team will use their own unlocked tokens to compensate victims who lost Raydium tokens, also known as RAY. However, the developer does not have the stablecoin and other non-RAY tokens to compensate the victims and is therefore asking RAY holders to vote to use the Decentralized Autonomous Organization (DAO) treasury to fill the missing tokens to buy to repay those affected yields.
1/ Update on sanitizing funds for recent exploits
First of all, thank you for everyone’s patience so far
A first proposal for further action was put up for discussion. Raydium encourages and appreciates any feedback on the proposal. https://t.co/NwV43gEuI9
— Raydium (@RaydiumProtocol) December 21, 2022
According to a separate post-mortem report, the attacker’s first step in the exploit was to gain control of a private key of the admin pool. The team does not know how this key was obtained, but suspect that the virtual machine that contained the key was infected with a Trojan horse program.
Once the attacker had the key, they called a function to withdraw transaction fees that would normally go to the DAO’s treasury to be used for RAY buybacks. At Raydium, transaction fees do not automatically go to the state coffers at the moment of a swap. Instead, they remain in the liquidity provider’s pool until withdrawn by an administrator. However, the smart contract tracks the amount of fees owed to the DAO through parameters. This should have prevented the attacker from being able to withdraw more than 0.03% of the total trading volume that had occurred in each pool since the last withdrawal.
However, due to a contract error, the attacker managed to manually change the parameters so that the entire liquidity pool was presented as transaction fees collected. This allowed the attacker to withdraw all funds. Once the funds were withdrawn, the attacker could manually exchange them for other tokens and transfer the proceeds to other wallets under the attacker’s control.
Related: Developers say projects refuse to pay bounties to white hat hackers
In response to the exploit, the team updated the app’s smart contracts to remove admin control over the parameters exploited by the attacker.
In the December 21 forum post, the developers proposed a plan to compensate victims of the attack. The team will use their own unlocked RAY tokens to compensate RAY holders who lost their tokens due to the attack. It has requested a forum discussion on how to implement a compensation plan that uses the DAO’s treasury to buy lost non-RAY tokens. The team is asking for a three-day discussion to decide the issue.
The $2 million Raydium hack was first discovered on December 16th. According to initial reports, the attacker had used the pull_pnl function to remove liquidity from pools without depositing LP tokens. However, since this feature was only intended to allow the attacker to remove transaction fees, the actual method by which they were able to empty entire pools was only known after an investigation had been conducted.
