Solana DeFi Raydium Hacked

Solana DeFi Raydium Hacked


Raydium is a Solana-based decentralized exchange (DEX) and it was hacked last Friday (15 December 2022) for over $2 million worth of user funds, just a few days before Christmas. What a ho-ho-ho for the hacker/s, and a no-no-no for us.

Raydium acknowledged the hack in its Twitter post. The exploit happened on a number of Raydium Protocol LP pools that includes assets like $USDC, $SOL, $ZBC and $UXP.

What Happened

It was reported that the attacker accessed the Liquidity Pool (LP) owner account and was able to call the withdrawpnl function. This function is used to collect trading/protocol fees earned by swaps in pools. Raydium reported the hacker modified expected fees from the affected LPs by changing the out_put.need_take_pnl for quote and base tokens using the SyncNeedTake parameter. Clearly, to me, the hacker gained Super User access to the LPs.

A "Super User" access means that the access is god-level, if you know what I mean.

The pools affected are listed below:

SOL-USDC
SOL-USDT
RAY-USDC
RAY-USDT
RAY-SOL
stSOL-USDC
ZBC-USDC
UXP-USDC
whETH-USDC

The estimated total funds exploited by hacker:

RAY 1,879,638
stSOL 3,214
whETH 39.3
USDC 1,094,613
SOL120,512
UXP 21,068,507
ZBC9,758,647
USDT110,427

Total USD: ~4,395,237 Million

Potential Cause of the Exploit

The hacker’s wallet has been flagged on SolanaFM as AgJddDJLt17nHyXDCpyGELxwsZZQPqfUsuwzoiqVGJwD.

The account AgJd...GJwD was observed to be calling the "withdraw_pnl" on different Raydium LP pools.

It was observed the account was using the signature of the Raydium admin key. This suggests that it is not a smart contract vulnerability, but instead, some form of private key compromise. This was confirmed since the signer on the illegal transactions is `HggGrUeg4ReGvpPMLJMFKV69NTXL1r4wQ9Pk9Ljutwyv`. This is the hardcoded owner public key from the Raydium contracts. In short, the owner authority has been taken control by the attacker and again I cannot stress it enough - god-level.

09088176ff286d2f89e9b83f475d097bd9b1372557970e099fa0e3d44c78325e.jpg

The public key encryption system is popular in the crypto industry. Anyone with a public key can encrypt or "sign" a message, yielding a "ciphertext" or jumbled mix of numbers and characters, but only those who know the corresponding private key can decrypt the ciphertext to obtain the original message or object.

Once the hacker gained control, he repeatedly invoked the withdrawpnl instruction to withdraw fees from Raydium pools.

Immediate Action Taken

  • Raydium halted AMM & farm programs by freezing the private key authority over the LP and farming contracts. This means the previous owner authority has been revoked and all program accounts have now been updated to new hard wallet accounts. The attacker no longer has access authority and is no longer able to continue with the exploit.
  • Raydium offered an incentive to the hacker. That is, if the attacker returns the funds, 10% of the total amount will be offered as a white-hat bug bounty. The hacker may reach out to Raydium via normal channels or via the address 0x6d3078ED15461E989fbf44aE32AaF3D3Cfdc4a90.
  • The hacker's wallet were flagged with warnings and some exchanges blacklisted the hacker’s associated addresses. Related SOL addresses include accounts where funds were observed passing through from the attackers account, such as 7XFMgfxhDURuaPwhUkXAy6uQJCoC3HPpjiZBqcot57Ge, were also flagged.
  • Arkham, a crypto-intelligence provider, also provided warning to Twitter followers to withdraw funds from Raydium as soon as possible.
  • Raydium is now working with third party auditors and Solana teams to gather additional information regarding the hack.

Post-Hack Actions

The attacker now holds more than $4M worth of tokens.

On the SOL chain, the hacker only kept their native SOL and Lido stSOL. Currently, their token balances on the SOL chain sum:
109k SOL ($1.4M)
3.2k stSOL ($44k)

But the rest of the stolen tokens ($2.54M) were sold for USDC and bridged to Ethereum on UniSwap. Eventually, they sent all of their balance into Tornado Cash. As of this writing, the hacker has now sent a total of 2091 ETH into Tornado Cash, emptying their account. This account was also funded through Tornado, for 0.1 ETH.

If you recall, Tornado Cash is the crypto privacy mixer recently sanctioned by the US Treasury Department last August 2022.

Conclusion

So, what was the real cause of the hack? That remains to be confirmed from Raydium - but I do have a guess. 

While some news reported that it was a trojan attack, meaning a Raydium employee may have been victimised somehow, e.g., by clicking on a malicious link.  

However, it was also reported by Raydium that a patch was put in place preventing further exploits from the attacker. This does not really make sense to me if the cause was a compromised private key via a human vector - unless they are confirming that the hacker was able to gain access to the private key via an unpatched vulnerability in Raydium systems.  Then again, the hacker may have gained access to the vulnerable server via an unsuspecting Raydium employee. Anyway, let's hope we can get some clarification in future disclosures of Raydium. 

From another perspective, this is a second attack related to private key compromise since the reported attack on Serum (another Solana-based DEX) when its own validator key was compromised post-FTX bankruptcy (as in, recent).

It seems the year 2022 has been tough on Solana, not only on its native asset but now the bad luck has trickled into its defi ecosystem. Hopefully, 2023 would be a better year not only for SOL, but for crypto, in general.

How do you rate this article?

2


Marcusblue
Marcusblue

Crypto enthusiast. Not a financial advisor. Enough about me, let's talk crypto.


Get Your Keys, Get Your Coin
Get Your Keys, Get Your Coin

Learn about the latest fraud, scams and threats in the crypto world to secure your investments.

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.