CertiK Logo
CertiK Logo
Products
Company
incident-response
Back to all stories
Analysis Reports
Raydium Protocol Exploit Incident Analysis
1/19/2023
Raydium Protocol Exploit Incident Analysis

TL;DR

On 16 December, 2022 Raydium Protocol experienced a private key compromise due to a trojan virus. The attacker’s address on Solana drained multiple liquidity pools on Raydium. In total, approximately $5.5 million worth of customer assets were stolen. Raydium has officially acknowledged the incident and released an initial post mortem via a Twitter thread.

Summary

On 16 December, 2022, an attacker managed to maliciously withdraw user funds from @RaydiumProtocol exchange pools. Raydium is an Automated Market Maker (AMM) built on the Solana blockchain that shares liquidity with Serum. Raydium enables the permissionless trading of cryptocurrencies through liquidity pools.

Raydium Protocol tweeted that, “Initial understanding is owner authority was overtaken by an attacker, but authority has been halted on automated market maker (AMM) & farm programs for now.” image-20221217-052055 Image: Raydium official Twitter.

According to Raydium’s statement, a trojan, which is a type of malware , allowed an attacker to compromise the owner’s private key. Access to this private key enabled the attacker to withdraw a mix of assets from the pools. The compromised wallet was able to invoke the withdrawpnl() instruction and drain the Raydium liquidity pools. The attacker then bridged approximately $2 million to Ethereum, including $1.6 million in SOL, and sent it to Tornado Cash. Minutes after the attack, Raydium’s native token RAY fell just over 8% to $0.16. The total value locked on the protocol also plummeted over 27% in the same period, to $34.73 million. In response to the exploit the developers upgraded the app’s smart contracts to remove admin control over the parameters that were exploited. Raydium also published a list of affected wallets.

Raydium offered a 10% bug bounty to the hacker if they returned the stolen funds. As of now the hacker is still unknown and has not responded to Raydium. Raydium also announced that it will use its own unlocked tokens to compensate victims who lost RAY tokens. However, the team does not have the RAY stablecoin and other non-RAY tokens to compensate victims. It asked RAY holders to vote on whether they should use the DAO treasury to buy the missing tokens and repay those affected by the exploit. The proposal was passed with 5,598,814 people approving it on 30 December.

Compendium Foundation, a platform based on Raydium, announced that it was temporarily withdrawing $CMFI, $USDC, and $SOL liquidity from Raydium following the incident. PRISM – a DEX aggregator for aggregating liquidity sources across Raydium and Solana – has also pulled its funds from the exchange. PRISM withdrew PRISM/USDC liquidity from Raydium, urging users to do the same.

On 19 January, 2023 approximately 1,774.5 ETH (~$2.7M) was deposited into the sanctioned mixing protocol Tornado Cash from the Raydium exploiter 0xb98ac..

Private Key Compromises

Private key leaks have been responsible for some of the most devastating attacks in 2022. In total upwards of $1 billion has been taken via private key compromises. This figure accounts for around 30% of funds stolen in major incidents this year. This is an increase from 2021 which saw approximately $892 million lost to private key compromises. Many of the compromises in 2022 are the result of a vulnerability in vanity address generated by Profanity. The Ronin Bridge incident was the largest private key exploit in 2022 and was responsible for the majority of lost funds. Attackers exploited SkyMavis' systems (owners of Axie Infinity) and, with this access, the attacker was able to generate valid signatures for five of the nine Ronin Network validators. Although the Ronin exploit falls under the category of a private key attack, it was not included in the graph below as it is a far more complex hack than just a simple private key leak. This was a multiple attack vector situation where the validator keys were the target. Overall, most private keys have been leaked through phishing attacks.

Private Key Compromises in 2022 - DEC Image: Top 7 Private key compromises in 2022.

Solana Exploits

Solana has suffered 11 significant attacks over 2022 resulting in a total loss of approximately $523 million. By far the largest incident was the exploit targeting the Wormhole Bridge resulting in the loss of $326 million. Of the 11 incidents, 10 lost over $1 million. In 2022, $13.5 million has been lost due to private key exploits just on the Solana blockchain. In the case of the Raydium incident, one wallet was able to withdraw liquidity from multiple pools which presents a centralization risk if said wallet is mishandled or compromised. Raydium is the second largest private key leak incident that took place on the Solana chain in 2022.

SOL lost another 6.1% following the Raydium exploit reports. Back in August hackers targeted the Solana’s ecosystem, draining approximately 8,000 digital wallets amounting to the loss of approximately $8 million. On November 6, 2021, SOL was ranked fourth in terms of the largest crypto market caps where today SOL holds the 18th position. To date, the most active exchanges dealing with SOL trades include Coinbase, Binance, and Digifinex. It is overall good practice not to keep your entire crypto funds in a hot wallet. The largest part of your portfolio should be placed into a cold wallet which is disconnected from the internet and third-party services.

For more details on the Solana Blockchain please read our article titled What is Solana?

Exploit Transactions and Relevant Addresses

Below is an example of one of the transactions from the exploit txs: 5gjJdnF calling the withdraw_pnl(), B9GgcZ8DmEWPZqtnS8ghztBp4kzEPJBdfwWxDnduBU jtSgH13RfeglleBFUxD8t8s0yIAzp93hi2mu7XY4maiSX3n yTYntl3ffCW4JLtAVETJ2mtIxMMPI21U-4ms6 rhHDu8UVAXNVXsTPNBJD2Q-1OJduShz9rthttZK8hdaQGH t0MXEq6ZrubT6Q Image: Transaction 5gjJdnF executing withdrawpnl()

Relevant Addresses

Attacker Account 1: AgJddDJ

Attacker Account 2: 5ndLnEY

Attacker Account 3: 0x70479

Potential Key Leaked Account (pnl owner): HggGrUeg4ReGvpPMLJMFKV69NTXL1r4wQ9Pk9Ljutwyv

Victim (Raydium AMM authority): 5Q544fKrFoe6tsEbD7S8EmxGTJYAKtTVhAW5Q5pge4j1

The attack transaction carried out by the exploiter can be found here.

Attack Flow

Around 2 PM UTC on 16 December, the Raydium LP exploiter's account posted around 1000 transactions to the Solana network.

Each transaction removed liquidity from Raydium without depositing a corresponding LP token, effectively seizing possession of liquidity providers’ funds. A variety of tokens were taken in the exploit, including US Dollar Coin (USDC), Wrapped SOL (wSOL), Raydium, and others.

The attacker key calls the withdraw_pnl() instruction to withdraw tokens from the Raydium authority, the signer is HggGrUeg4ReGvpPMLJMFKV69NTXL1r4wQ9Pk9Ljutwyv, which is a privileged account. Projects and networks that are not fully decentralized require accounts that have access to critical network controls. Privileged access management risk refers to the risk of compromise surrounding these accounts, and the catastrophic losses that can occur when access to them is compromised.

Profit and Assets Tracing

In total approximately around $5.5 million worth of assets are stolen in this incident. Screen Shot 2023-01-19 at 3.55.40 PM

Conclusion:

This year has been destructive for DeFi platforms. As we near the end of the 2022, DeFi platforms have been exploited for over $2.5 billion. The @RaydiumProtocol hack was due to a private key compromise rather than a smart contract vulnerability. In Raydium Protocol’s initial post mortem, they describe the origin of the compromise to be a trojan horse, a type of malware that disguises itself as legitimate code or software. Private key leaks can occur due to the mismanagement of the keys themselves. In 2022, private key compromises garnered more attention than ever after it was proven that wallet addresses generated by the Profanity tool were vulnerable to brute force attacks. An example of this vulnerability is the Wintermute exploit which led to an approximately $160 million loss. There are three ways to prevent attacks on private keys including: never importing keys from one wallet to another, using hardware wallet, and using a software wallet that offers advanced security features. By taking these steps, individuals and institutions can mitigate attempts from malicious actors to compromise private keys. Web3 projects need to stay vigilant to all aspects of their project’s supply chain, development, and setup environment.