Raydium Exploit Drains $1.34 Million from Deprecated Solana Liquidity Pools

Raydium lost more than US$1.34 million (AU$1.92 million) on June 10 after a hacker exploited five long-deprecated liquidity pools on the Solana-based decentralised exchange, minting unauthorised liquidity-provider tokens to drain funds that the protocol has pledged to repay in full.

The stolen assets comprised roughly US$900,000 (AU$1.29 million) in USDC, about US$357,000 (AU$511,000) in SOL, and around US$86,000 (AU$123,000) in RAY. 

All five pools belonged to Raydium’s legacy AMM V3 program, tied to the Serum protocol that was sunset in 2021, and had been unreachable through the platform’s interface ever since.

Read more: Judge Freezes Controversial Bid to Claim US$234 Billion in Dormant Bitcoin Wallets

How the Legacy Pools Failed

The attacker bypassed validation logic in the deprecated program and created a fraudulent liquidity-provider token mint, using it to clear the security checks that should have blocked the withdrawal. 

Raydium characterised the root cause as a self-contained logic flaw in the LP-mint validation process, not a private-key compromise or an authority-level breach, and said its current mainnet programs are not vulnerable to the same flaw.

“No current users of Raydium are affected by this exploit or would have been able to interact with these pools through the UI since their deprecation,” contributor 0xInfra stated, adding that the protocol would repay the losses from its treasury.

On-chain data showed the attacker, operating from a Solana address ending in “Bq33QVk”, bridged the proceeds to Ethereum and routed roughly 810 ETH through the Tornado Cash mixer, with a smaller tranche sent to a swap service. 

Raydium moved quickly to reassure users that the breach did not touch active liquidity. 

Read more: Saylor Sparks Fresh Bitcoin Buy Speculation as Strategy Hints at More BTC Accumulation