Solana’s second largest decentralized exchange Raydium has disclosed how a hacker gained access to its liquidity pools.

In a post-mortem report on Dec. 18, the Raydium team said that a malicious actor exploited the protocol’s Liquidity Pool V4 at around 10 pm UTC on Friday. The attacker made off with $4.4 million from eight of Raydium’s constant product liquidity pools.

Unlike other DeFi exploits that typically involve smart contract vulnerabilities, the Raydium attacker gained access to the Pool Owner admin account. However, the Raydium team said that there is no evidence that the private key for the Pool Owner account had ever been shared outside the virtual machine where it was deployed. 

“An internal security review is ongoing in order to determine the nature and root cause of the account compromise,” said the Raydium team.

The protocol’s developers are yet to narrow down on how the private key was compromised and are currently considering a trojan attack as one possible means by which the attacker gained access. 

Developers deployed a hot patch shortly after the protocol was exploited, blocking the exploiter’s ability to further exploit other pools. The team is now pulling snapshots of liquidity provider balances before the hack to determine a suitable solution to make them whole. The team also said it has been in touch with a number of Solana teams, third party auditors and centralized exchanges to track the attacker’s wallets. 

Over the weekend, on-chain analysts pointed out that the attacker had already begun bridging the stolen funds to Ethereum and sending them to coin-mixer Tornado Cash.

Some users were not entirely satisfied with Raydium’s response to the situation, calling for a more thorough investigation of the internal functions of the protocol.

 “I see 2 steps listed for action, while the very first one should be ‘Full internal audit of all systems from 3rd party security vendor’ For all they know, their internal systems could still be compromised [sic],” said one user on Twitter.