Compensation Proposal from Raydium
Members of the decentralized exchange Raydium (DEX) have released details about what happened on December 16 and offered to make amends for those affected. The attacker used a vulnerability that allowed the entire pool of funds to be withdrawn as “debt”.
Members of the decentralized exchange Raydium (DEX) have released details about what happened on December 16 and offered to make amends for those affected.
According to a forum post (1), the hacker can get away with over $2 million in cryptocurrency loot by taking advantage of a loophole in the DEX smart contracts that allowed admins to withdraw the entire pool of money despite existing security designed to prevent such behavior. .
The team will use their locked tokens to compensate the victims of the lost Raydium tokens, commonly referred to as RAY. However, the Creator does not have a stablecoin and other non-RAY tokens to compensate the victims; therefore, he is asking for a vote from RAY holders to use DAO assets to buy the missing tokens to pay the damages.
The attacker took private keys from the control pool as part of the vulnerability, according to another post-mortem report (2). The team does not know how the key was obtained, but they suspect that a Trojan horse was installed on the virtual machine that contained the key.
Once they get the key, the attacker calls a function to extract transaction fees that will be sent to the DAO Treasury to be used for RAY redemption.
Compensation Process Raydium
Trading prices in Raydium are not transferred directly to the Treasury after trading. Instead, they hang around in the donor pool until a manager picks them up. However, the smart contract uses parameters to track payments due to DAO.
The attacker should not withdraw more than 0.03% of the total transactions that have occurred in each pool since the last stop for this reason. However, the attacker can manually change the settings due to compromise, making the entire pool appear to be a transaction fee. The abuser can take all the money as a result. The attacker can withdraw the money when it is manually withdrawn.
Exchange them for different tokens and transfer the money to other wallets controlled by the attacker. The team upgraded the app’s smart contract in response to the vulnerability to eliminate administrative controls and settings used by the attacker. The developers have posted a plan to fix the affected attackers in a December 21 forum post.
The team will use the closed RAY tokens to compensate those who lost their tokens to RAY due to the attack. He asked for a discussion at the forum on how to implement a compensation system that uses the DAO bank to pay for lost non-RAY tokens. The group is requesting that the matter be decided after three days of talks.
Raydium and $2,000,000 On December 16, the hack was first discovered. Initial reports said the attacker removed water from the pools without keeping the LP logo from the removal feature. However, since the attacker should be able to remove transaction costs using this feature, it was only after research that it became clear how to drain the entire pool.