Raydium announces details of hack, proposes compensation for victims

cointelegraph.com:

The team behind the Raydium decentralized exchange (DEX) has announced details as to how the hack of Dec. 16 occurred and offered a proposal to compensate victims.

According to an official forum post from the team, the hacker was able to make off with over $2 million in crypto loot by exploiting a vulnerability in the DEX’s smart contracts that allowed entire liquidity pools to be withdrawn by admins, despite existing protections being to prevent such behavior. 

The team will use its own unlocked tokens to compensate victims who lost Raydium tokens, also known as RAY. However, the developer does not have the stablecoin and other non-RAY tokens to compensate victims, so it is asking for a vote from RAY holders to use the decentralized autonomous organization (DAO) treasury to buy the missing tokens to repay those affected by the exploit.

1/ Update on remediation of funds for recent exploit First, thanks for everyone's patience up to nowAn initial proposal on a way forward has been posted for discussion. Raydium encourages and appreciates all feedback on the proposal.https://t.co/NwV43gEuI9

According to a separate post-mortem report, the attacker’s first step in the exploit was to gain control of an admin pool private key. The team does not know how this key was obtained, but it suspects that the virtual machine that held the key became infected with a trojan program.

Once the attacker had the key, they called a function to withdraw transaction fees that would normally go to the DAO’s treasury to be used for buybacks of RAY. On Raydium, transaction fees do not automatically go to the treasury at the moment of a swap. Instead, they remain in the liquidity provider’s pool until withdrawn by an admin. However, the smart contract