- The attacker drained 150K RAY, 5603 SOL, and 893K USDC from five pools dormant since 2021.
- LP mint validation flaw lets attackers create fake mint and bypass proportion checks entirely.
- Raydium treasury will fully compensate affected users with no impact on current mainnet programs.
A hacker drained approximately $1.34 million from Raydium’s Legacy AMM V3 program, targeting five liquidity pools that were deprecated years ago but never fully disabled on-chain. The exploit was discovered and disclosed by Raydium’s core team, who confirmed that the stolen assets will be fully reimbursed from the protocol’s treasury.
No current Raydium users were affected. The exploited pools have been inaccessible through the Raydium UI since their deprecation, and the current mainnet programs, SDK, and DApp remain entirely unaffected.
What Was Stolen
The attacker drained five inactive pools:
- Sollet USDT / RAY
- Sollet ETH / RAY
- SRM / RAY
- USDC / RAY
- RAY / SOL
Total assets removed:
- 150,177 RAY
- 5,603 SOL
- 893,700 USDC
Combined market value at time of exploit: approximately $1.34 million.
How the Exploit Worked
The Legacy AMM V3 program was originally built to place orders on the Serum order book using deposited funds. It did not provide swap functionality. After Serum was deprecated, the associated liquidity simply sat idle on-chain.
The vulnerability was a logic flaw in LP mint validation. The program relied on LP token supply for proportion checks but failed to properly verify the LP mint address. An attacker created a fake mint, used it as the LP token, and bypassed the proportion checks entirely, allowing them to withdraw real assets from the pools without legitimate ownership.
Raydium confirmed the flaw was self-contained and not caused by a key compromise or authority-level issue. There is no propagation risk to other programs. All current Raydium mainnet programs use a virtual supply mechanism and correctly verify the LP mint address, preventing this class of attack entirely.
The Pattern
The exploit arrived days after Humanity Protocol lost $31 million to a private key compromise after a developer’s machine was infected with malware. Two significant DeFi exploits in a single week reinforce what security researchers have been warning about for months, about how dormant contracts and compromised developer infrastructure represent the most exploitable attack surfaces in the current cycle.
Community members noted that the exploiter’s wallet was funded via a KuCoin hot wallet address, a detail that Raydium’s team confirmed they are tracking as part of the ongoing investigation.
Related: Hackers Use Fake LinkedIn Jobs to Steal Crypto Developer Code Pipelines
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
