A vicious and much-determined attacker acted inappropriately using the Raydium Liquidity Pool V4’s authority account. However, this is achieved by connecting with the Pool Owner or the administration account. In the case scenario of the pool owner account, however, it was originally positioned on a virtual machine with a specific internal server.
Despite all of the facts currently assembled, there is presently an internal security audit being conducted with the aim and intention of trying to decipher all the possible reasons behind the manipulation of the account in question. However, the real fact of the matter still stands with the knowledge that there is still to be a proper disclosure of the case, which will inadvertently turn into a better and clearer understanding.
However, considering all of the unknown parameters, what is clear is that the attacker was able to affect eight constant product liquidity pools on Raydium adversely. However, this resulted in around $4.4 million worth of stolen funds. Besides, the saving grace is that no other pool or funds on Raydium witnessed any misappropriation.
The attacker used two basic methods in the exploitation of the Radyium. One way was when the attacker could take advantage of the functioning of the withdrawPNL instruction to withdraw funds, more in the form of fees, from the pool vault. In the second instance, the attacker utilized the SetParams instruction for changing and increasing the expected fees, thereby withdrawing the funds from the pool vault.
Radiyum, on its part, to stop the attacker, positioned a hot patch that helped in nullifying the authority of the previous account, and updated it to a new account. The patch, in this case scenario, nullified the authority of the attacker, preventing any further misutilization of the pools.After the initial steps, the program is advanced with the help of Squads multisig to remove unwanted administration parameters affecting funds.
Furthermore, some of the parameters that have been removed are AmmParams::MinSize, AmmParams::SetLpSupply,AmmParams::SyncNeedTake and AmmParams::SyncLp.
All admin parameters are duly updated to the squads multisig, which is presently utilized for upgrading programs. As further protection, Radyium is in the process of understanding the effect of the misappropriation on the pools for user LP balances. Additionally, attacker wallets are also being tracked while scoring ways to return funds. For level matters further, Radyium is taking the assistance of some Solana teams, 3rd party auditors, and centralized exchanges. A 10% bounty is also being offered in place of returning funds.
Source: https://www.cryptonewsz.com/explicit-post-mortem-report-of-raydium-liquidity-pool-v4s-exploit/