Breaking: Raydium Faces a $1.34 Million Exploit Tied to Legacy Pools
On June 10, 2026, Raydium, the Solana-based decentralized exchange, disclosed that five deprecated liquidity pools tied to its legacy AMM V3 contracts were drained in a calculated attack. The total losses amount to about $1.34 million, with the attacker siphoning roughly $893,700 in USDC, $5,603 in SOL, and 150,177 in RAY tokens. The wallet address linked to the attacker ends in Bq33QVk, a detail that has become a touchstone for investigators tracking cross-chain activity.
The incident has put Raydium at the center of a broader discussion about risk in dormant DeFi code. The firm confirmed that no current users were affected and that the treasury will fully compensate affected users and liquidity providers. In a brief update, Raydium said, "We are actively investigating the incident and will ensure all affected parties are made whole from treasury reserves."
What Happened: Five Pools Targeted, Five Pools Drained
Raydium identified five legacy pools as the attack surface: Sollet USDT–RAY, Sollet ETH–RAY, SRM–RAY, USDC–RAY, and RAY–SOL. The attacker leveraged a vulnerability in the old AMM V3 code that failed to validate the legitimacy of the LP tokens minted for each pool. In short, the assailant minted a counterfeit LP token and then invoked the legacy withdraw function, which treated the fake token as if it represented a full stake in the pool.
- Total missing across all pools: approximately $1.34 million
- Breakdown: about $893,700 in USDC, $5,603 in SOL, and 150,177 RAY
- Five pools affected: Sollet USDT–RAY, Sollet ETH–RAY, SRM–RAY, USDC–RAY, and RAY–SOL
- Attacker address ends with Bq33QVk
The vulnerability lay in a retrofitted security check that should have compared the burned LP tokens against the pool’s legitimate mint. The old contract did not enforce this verification, enabling an attacker to pull the entire pool’s reserves while the forged token was treated as a 100% stake.
How The Exploit Played Out Across Bridges and Chains
After withdrawing funds from the five Solana pools, the attacker moved the assets off-chain via a cross-chain bridge to Ethereum. Once on Ethereum, the funds appeared to have entered privacy-preserving facilities, complicating recovery efforts. The typical pattern—bridge, then shield via a mixing service—has been used in prior cross-chain heists, and this instance followed that playbook closely.
Security researchers say the move to Tornado Cash represented a deliberate attempt to obscure the trail. While Tornado Cash has faced regulatory scrutiny in several jurisdictions, it remains a common tool in crypto theft recoveries and asset tracing efforts. The cross-chain nature of the breach means investigators from multiple chains are collaborating to trace the funds’ path and identify any possible on-ramps for recovery.
Impact, Response, and Treasury Backstop
Raydium was quick to reassure users that there are no ongoing user losses stemming from this event. The protocol emphasized that the losses will be covered by the project’s treasury, underscoring a commitment to maintaining user protection even as it revisits its security posture. In a statement, the company said, "There are no current user losses; the treasury will compensate all affected parties fully."
Industry observers have noted that this incident highlights a broader risk in projects that reuse or repurpose legacy code. The attacked pools were part of an AMM design that predated many of the modern LP validation standards used by current DeFi platforms. The fact that the vulnerability remained on-chain for five years before being exploited is prompting renewed calls for rigorous risk assessments of historical contract code and proactive deprecation where feasible.
Root Cause: Missing LP Token Validation in Legacy AMM V3
The core issue centers on how liquidity provider (LP) shares are represented. In standard automated market makers, LP tokens track a provider’s proportional stake. The attack exploited a failure in the V3 contract’s LP token validation routine, allowing a forged mint to be treated as legitimate. With the contract not cross-checking the mint against the pool’s official LP supply, the attacker effectively posed as a single-entity owner of the pool and drained its reserves.
The security lapse was not detected in ordinary audits at the time of the legacy deployment, and it remained dormant on-chain for years until the attacker found a live path to drain the pools. The incident has renewed interest in how DeFi projects handle legacy contracts and whether automated retirement or automated migration tools are sufficient to retire dormant code from production ecosystems.
Raydium’s Next Steps: Patching, Patching, and Governance
Raydium has outlined immediate steps to prevent a recurrence and to harden its security framework against similar legacy-code risks. The plan includes: decommissioning the five deprecated AMM V3 pools, conducting a thorough audit of any remaining legacy contracts, and deploying enhanced LP validation checks in all active pools. Leadership emphasized that the organization will pursue a full technical review of the AMM architecture and consider a phased migration to newer, formally verified contracts.
In addition, Raydium is engaging with Solana’s security ecosystem, including the on-chain monitoring community and trusted third-party auditors, to ensure any residual vulnerabilities are flagged and remediated promptly. The company has signaled it will improve its treasury risk framework to manage future losses, emphasizing a proactive stance toward user protection and system integrity.
Market Context: What This Means for Solana and DeFi
The episode enters a crowded field of DeFi security incidents that continue to unfold across multiple blockchains. Solana’s ecosystem has grown rapidly, and with it, the potential attack surface for old code blends with new activity. Traders and liquidity providers are watching closely not only for the immediate losses but for how the community handles governance and compensation in cases where the treasury bears the cost of exploits.
Analysts note that the incident points to a broader question: how aggressively should projects retire legacy contracts? Some argue for aggressive deprecation coupled with automatic migration tools, while others caution that forced migrations can disrupt liquidity and user experience. The Raydium case—especially with the cross-chain laundering angle—offers a clear example of why a layered security approach matters for cross-chain assets and for community-backed funds that stand behind users.
Industry Takeaways and Lessons Learned
- Legacy contracts can pose systemic risk long after they’re deployed, especially when they connect to productive pools with real-world liquidity.
- LP token validation is not optional; it is a core guardrail that protects users against impersonation and unauthorized withdrawals.
- Cross-chain asset movement complicates recovery but remains a reality for many DeFi protocols; robust monitoring and rapid incident response are essential.
- Backstops like treasury coverage can stabilize user confidence, but they also raise governance questions about funding and risk appetite.
- Transparency around attacker footprints, including wallets and cross-chain routes, helps the community and investigators move faster toward potential recovery or attribution.
Data Snapshot: Quick Reference
- Total loss: $1.34 million
- USDC recovered/withdrawn: approximately $893,700
- SOL moved: about $5,603
- RAY tokens drained: 150,177
- Pools involved: Sollet USDT–RAY, Sollet ETH–RAY, SRM–RAY, USDC–RAY, RAY–SOL
- Attacker wallet suffix: Bq33QVk
- Post-attack path: cross-chain bridge to Ethereum, then Tornado Cash
Closing: The Road Ahead for Raydium and the DeFi Community
The Raydium incident—highlighted by the phrase raydium with $1.34m exploit in industry chatter—serves as a stark reminder that even established protocols can harbor dormant vulnerabilities. As the ecosystem grows, so does the imperative to retire legacy code cleanly, enforce strict LP validation, and maintain transparent, well-funded pathways to compensate users when exploits strike. Solana’s DeFi community, along with independent auditors and developers, will closely watch Raydium’s remediation efforts and how the treasury-backed response shapes confidence in future deployments. In the near term, traders will weigh the resilience of Raydium’s updated security posture against the headlines from this incident, while the broader market calibrates risk across cross-chain DeFi markets.
Discussion