Raydium: Compromised pool owner private key → withdraw_pnl() fee drain + SyncNeedTake parameter manipulation
Raydium's AMM lost $4.4M in protocol fees when an attacker used a compromised owner private key to call a privileged drain function across nine Solana liquidity pools.
Summary #
Raydium suffered a DEX / AMM on 2022-12-16, resulting in a loss of approximately $4M.
What happened #
Raydium's AMM lost $4.4M in protocol fees when an attacker used a compromised owner private key to call a privileged drain function across nine Solana liquidity pools.
Linked factors #
- RD-F-004 — related : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (no public audit) — root cause is key management failure, not code bug]
- RD-F-007 — illustrative : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-027 — related : ★ Single admin EOA (not multisig, not timelock) [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay] || ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — withdraw_pnl called by owner key; SyncNeedTake parameter modified. Both are admin-level operations]
- RD-F-032 — illustrative : Timelock duration on upgrades = 0 [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
- RD-F-077 — related : Auto-linked by C.4 triage 2026-05-07
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — withdraw_pnl called by owner key; SyncNeedTake parameter modified. Both are admin-level operations]