Solana-based decentralized finance protocol Raydium has suffered an exploit, according to a statement from the developer. An initial investigation by the team revealed that the attacker took over the exchange’s owner account. The team said that “authority” over the automated market maker and farm programs has been paused “for now.”
An exploit on Raydium is being investigated that affected liquidity pools. Details to follow as more is known
⁰Initial understanding is owner authority was overtaken by attacker, but authority has been halted on AMM & farm programs for nowAttacker accnthttps://t.co/ZnEgL1KSwz
— Raydium (@RaydiumProtocol) December 16, 2022
Twitter user and researcher ZachXBT reported that the attacker has bridged $2 million to Ethereum “so far.”
Then bridged to ETH (~$2m so far)https://t.co/3OYxDThv7I
— ZachXBT (@zachxbt) December 16, 2022
Around 2 p.m. UTC on Dec. 16, a Raydium admin account posted nearly 1,000 transactions to the Solana network.
Each transaction removed liquidity from Raydium without depositing a corresponding LP token, effectively seizing possession of liquidity providers’ funds. A variety of tokens were taken in the exploit, including US Dollar Coin (USDC), Wrapped SOL (wSOL), Raydium, and others.
The exploit appears to have first been discovered by the Prism dev team. They posted a warning at 2:01 that an attacker was draining liquidity from Raydium without depositing and burning LP tokens. Prism warned its users to withdraw their Prism and USDC tokens from the exchange immediately.
There seems to be a wallet is draining LP Pools from Raydium liquidity pools using admin wallet as a signer without having/burning LP tokens.
We withdrew protocol provided PRISM/USDC liquidity from Raydium
WITHDRAW YOUR PRISM/USDC LIQUIDITY FROM RAYDIUM
— PRISM (@prism_ag) December 16, 2022
40 minutes later, the Raydium team took to Twitter to confirm that the exchange had been hacked.
According to crypto auditing firm Ottersec, the attacker has drained funds by invoking the withdraw_pnl function on the contract, which is used by the developer to withdraw fees. The firm did not say whether this function can be used to withdraw all liquidity or only a small percentage from the pools.
Nansen Portfolio, a crypto analytics firm, has confirmed that the attacker drained over $2.2 million from the exchange.
The wallet draining LP Pools from Raydium liquidity pools has received over $2.2M now, including $1.6M $SOL
Track here: https://t.co/IQedsOstPE pic.twitter.com/OAQJgaq5Mc
— Nansen Portfolio (@nansenportfolio) December 16, 2022
At the time of writing, the Raydium team is still investigating the exploit and has not yet announced whether compensation will be offered to victims of the attack.
Admin account hacks have been a recurring problem in the crypto space recently. On Dec. 2, Ankr protocol’s deployer key was stolen, and the attacker used it to remove $5 million worth of BNB. Earlier in the year, the Ronin network bridge was hacked by similar means. In this case, the attacker ran off with over $600 million of crypto loot.
Ankr has since reimbursed victims, and Ronin developer Axie Infinity has pledged that it will do the same.