A Raydium exploit drained $1.3M from deprecated Solana pools. Here’s how the attacker bypassed security and what Raydium is doing next.
Raydium, one of Solana’s leading decentralized exchanges, confirmed an exploit targeting its legacy AMM V3 program. The attack drained approximately $1.34 million in crypto assets from five dormant liquidity pools.
None of the affected pools were accessible to current users through Raydium’s interface or SDK. The team traced the vulnerability to insufficient validation of LP token mints within the deprecated program. Raydium confirmed full reimbursement from its treasury.
Read also:
Humanity Protocol Confirms $36M Exploit After Employee Laptop Breach, H Token Crashes 90%
How the Raydium Attacker Pulled It Off
The exploit targeted pools that Raydium phased out back in 2021.
According to Raydium’s infrastructure account on X, the legacy AMM V3 program never offered swap functionality. After Serum’s deprecation, liquidity in those pools simply sat idle with no active oversight.
The attacker identified a critical flaw in how the program verified LP tokens.
Instead of confirming the legitimate LP mint address, the program relied on LP token supply for proportion checks. That gap let the attacker deploy a fake mint, bypass the checks entirely, and drain assets directly.
Raydium is aware of an exploit involving unauthorized removal of liquidity from its legacy AMM V3 program which was previously phased out in 2021.
No current users of Raydium are affected by this exploit or would have been able to interact with these pools through the UI since…
— Infra | Raydium (@0xINFRA) June 10, 2026
The five pools hit were Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL. Combined losses totaled roughly 150,177 RAY, 5,603 SOL, and 893,700 USDC.
On-Chain Trail Points to KuCoin and Tornado Cash
Blockchain security firm PeckShield flagged the attacker’s movements after the exploit.
According to PeckShieldAlert, the attacker funded the operation through KuCoin. After draining the pools on Solana, they bridged the stolen funds over to Ethereum.
From there, the attacker deposited 810 ETH into Tornado Cash and moved 7 ETH to FixedFloat. The exploiter’s wallet address, 4WnPebowR4HHfumvNPaDjG6Pa5Hi1jxLm6xmmBq33QVk, is now publicly flagged across the community.
The cross-chain movement points to a deliberate effort to obscure the stolen funds. That trail is consistent with patterns seen in previous DeFi exploits targeting legacy infrastructure.
#PeckShieldAlert Specter reported that @Raydium has been drained of $1.3M worth of crypto
The attacker was initially funded from #KuCoin, bridged the stolen funds from #Solana to ETH, and deposited 810 $ETH to #TornadoCash and 7 ETH to #FixedFloat. pic.twitter.com/Cm3nQwUfZV
— PeckShieldAlert (@PeckShieldAlert) June 10, 2026
What Raydium Says About Active Users and Next Steps
Raydium was direct in addressing user concerns. Its infrastructure team confirmed that no current users faced exposure.
The DAPP and SDK do not support interactions with legacy AMM V3 pools on mainnet, meaning that everyday users could not have interacted with the affected contracts.
Raydium also clarified the nature of the flaw. The vulnerability came from a self-contained logic error, not a key compromise or authority-level issue. That rules out propagation risk to other parts of the protocol.
All other Raydium mainnet programs use a virtual supply mechanism. Those programs also correctly verify LP mints and all relevant account data, blocking this class of attack entirely. Core contributors are now conducting a full security review across all mainnet programs.
Leave a Reply
You must be logged in to post a comment.