Raydium Exploit Drains $1.34M From Legacy AMM Pools

10th June 2026 – A Raydium exploit drained about $1.34 million from five deprecated AMM V3 pools on Solana. The attacker abused a fake LP token to empty idle reserves.

The on-chain alert service Specter flagged the drain first. Soon after, blockchain security firm PeckShield and Raydium itself confirmed the loss. According to Raydium, no active users lost funds. The team also pledged a full treasury reimbursement.

How the Raydium Exploit Worked

The attacker targeted Raydium’s legacy AMM V3 program. This code dates to 2021. Raydium removed it from the official UI, SDK, and DApp years ago. Even so, it stayed live on-chain.

The bug sat in the withdraw instruction. The program never checked that the supplied LP mint matched a real Raydium position mint. So an attacker could supply any token. The attacker then minted a fake LP token with a supply of just one.

Next they called withdraw and burned that single fake token. As a result, the program returned 100% of each pool’s idle reserves. In its official statement, Raydium explained the flaw directly.

“The vulnerability stemmed from insufficient validation of the LP mint,” the team wrote. It added that an attacker could create a new mint and use it as the LP token. That move bypassed the intended proportion checks.

Which Pools the Attacker Drained

The Raydium exploit hit exactly five legacy pools. These were Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL.

In total, the attacker took roughly 150,177 RAY, about 5,603 SOL, and around 893,700 USDC. Together, those assets were worth about $1.34 million. PeckShield initially rounded the figure to $1.3 million. The two numbers stay consistent within normal market swings.

All five pools once served Serum’s order book. They went idle after Serum shut down. So the drained liquidity sat dormant. It never backed any live trading pair.

Tracing the Stolen Funds

The money trail starts at a centralized exchange. The attacker funded their Solana wallet from KuCoin at around 11:28 UTC. The drains then ran across roughly 20 transactions. They finished by about 12:09 UTC.

Next, the attacker swapped the loot into USDC. They then bridged it from Solana to Ethereum through deBridge. The funds landed in a single Ethereum wallet.

After that, the laundering moved fast. According to PeckShield, the attacker deposited 810 ETH into Tornado Cash. They also sent 7 ETH to FixedFloat. The first Tornado deposit hit at 13:26 UTC, and the sequence wrapped up by roughly 13:41 UTC.

Tornado Cash is an Ethereum mixer. It breaks the on-chain link between deposits and withdrawals. FixedFloat is a non-custodial swap service that often appears in laundering chains. Both tools make the stolen funds harder to follow.

Raydium Responds and Pledges Reimbursement

Raydium moved quickly to contain the story. The core team posted an official statement at 15:54 UTC. It disclosed the exploiter address and published a spreadsheet of affected deposits.

Crucially, Raydium says the bug touched only deprecated code. Modern Raydium programs use virtual supply plus full account validation. So they never trust an unverified LP mint. As a result, the team says active pools and current users stayed safe.

Raydium also pledged to reimburse the drained legacy positions from its treasury. So affected depositors should be made whole. The on-chain loss itself, however, is final.

The team published a public spreadsheet listing every affected deposit. Users with legacy V3 positions can check that sheet to confirm their balances. Early secondary coverage from BeInCrypto and CryptoNewsLive matched Raydium’s figures and its no-user-impact framing.

Why Legacy Code Was the Weak Point

This incident is not Raydium’s first. In December 2022, an attacker drained roughly $4.4 million to $5.5 million from active pools. Trojan malware had compromised a private key. That was a key-security failure, not a contract bug.

By contrast, the June 2026 Raydium exploit was a pure logic flaw in retired code. The program left the interface but never left the chain. On an immutable network, “deprecated” does not mean “gone.”

The legacy program last received an upgrade at slot 170.6 million, according to Solscan. The exploit landed much later, at slot 425.5 million. That gap shows how long the dormant code sat untouched before someone found the gap.

Market Impact and What Comes Next

The market reaction stayed calm. RAY rose more than 2% in the hours after the news. Raydium’s total value locked also held above $1.4 billion on DefiLlama. Because the drained pools were idle, they never counted toward active TVL.

X sentiment leaned positive. Many users praised Raydium for fast disclosure and the quick reimbursement pledge. Still, some retail voices voiced broader frustration about repeated Solana hacks. The mood on Reddit and Telegram echoed that mix of relief and caution.

Open questions remain. The attacker’s identity is unknown, and no wallet labels exist yet. The exact deBridge transaction has not surfaced publicly either. Traders should treat unconfirmed details with caution, and none of this is financial advice. For now, the case stands as a sharp reminder. Old code on a live chain still carries real risk.