Solana-based decentralized finance protocol Raydium has suffered an exploit, according to a statement from the developer. An initial investigation by the team revealed that the attacker took over the exchange’s owner account. The team said that “authority” over the automated market maker and farm programs has been paused “for now.”
Twitter user and researcher ZachXBT reported that the attacker has bridged $2 million to Ethereum “so far.”
Around 2 p.m. UTC on Dec. 16, a Raydium admin account posted nearly 1,000 transactions to the Solana network.
Each transaction removed liquidity from Raydium without depositing a corresponding LP token, effectively seizing possession of liquidity providers’ funds. A variety of tokens were taken in the exploit, including US Dollar Coin (USDC), Wrapped SOL (wSOL), Raydium, and others.
The exploit appears to have first been discovered by the Prism dev team. They posted a warning at 2:01 that an attacker was draining liquidity from Raydium without depositing and burning LP tokens. Prism warned its users to withdraw their Prism and USDC tokens from the exchange immediately.
40 minutes later, the Raydium team took to Twitter to confirm that the exchange had been hacked.
According to crypto auditing firm Ottersec, the attacker has drained funds by invoking the withdraw_pnl function on the contract, which is used by the developer to withdraw fees. The firm did not say whether this function can be used to withdraw all liquidity or only a small percentage from the pools.
Nansen Portfolio, a crypto analytics firm, has confirmed that the attacker drained over $2.2 million from the exchange.
At the time of writing, the Raydium team is still investigating the exploit and has not yet announced whether compensation will be offered to victims of the attack.
Admin account hacks have been a recurring problem in the crypto space recently. On Dec. 2, Ankr protocol’s deployer key was stolen, and the attacker used it to remove $5 million worth of BNB. Earlier in the year, the Ronin network bridge was hacked by similar means. In this case, the attacker ran off with over $600 million of crypto loot.