Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 117Private Key Compromise

Raydium Admin Key Trojan

$4.4M drained from Raydium's Solana liquidity pools after malware stole the pool-admin private key, then used admin functions to withdraw fees.

Date
Victim
Raydium
Chain(s)
Solana
Status
Funds Stolen

On December 16, 2022, the leading Solana AMM Raydium lost approximately $4.4 million when an attacker obtained the pool-admin private key through trojan malware on the admin's machine. The attacker then used legitimate admin functions to withdraw protocol fees and manipulate pool parameters in their favour.

What happened

Raydium's liquidity pools had an admin authority capable of privileged operations: withdrawing accumulated trading fees, adjusting pool parameters, and other maintenance functions. This authority was controlled by a single key.

The compromise was not a smart-contract bug — Raydium's program logic worked as designed. The attacker:

  1. Compromised the pool-admin's machine with trojan malware that extracted the admin private key.
  2. Used the admin key to call legitimate privileged functions:
    • Withdrew accumulated trading fees from pools directly to attacker addresses.
    • Manipulated pool parameters (withdrawPNL and related admin operations) to extract additional value.
  3. Drained approximately $4.4M across multiple Raydium pools.

Because every transaction was signed by the legitimate admin key and called legitimate functions, the activity looked superficially like normal protocol maintenance — until the cumulative outflow was noticed.

Aftermath

  • Raydium paused affected pools and rotated authorities to a multi-sig + hardware-wallet configuration.
  • The team proposed a compensation plan using protocol treasury and RAY buybacks to make affected LPs whole over time.
  • The stolen funds were bridged off Solana and laundered.

Why it matters

Raydium's incident is a textbook admin-key compromise via endpoint malware — the same root cause as EasyFi (2021), bZx November 2021, and many others. The lesson is consistent and unglamorous: single admin keys held on internet-connected machines are the actual security model, no matter how well-designed the on-chain program is.

The structural lessons:

  1. Privileged keys belong in hardware wallets behind multi-sig. Raydium operated a leading AMM with a single admin key on a machine that could be compromised by commodity malware. The post-incident migration to multi-sig + hardware signing is the configuration that should have been in place before.

  2. Legitimate-function abuse is harder to detect than exploits. Because the attacker called real admin functions with real signatures, the activity didn't trip "this is an exploit" heuristics — it looked like maintenance. Anomaly detection on privileged-function call patterns (volume, frequency, destination addresses) is the defensive layer that catches this; Raydium did not have it tuned to fire.

  3. Solana's admin-authority model concentrates risk. Many Solana programs use a single upgrade/admin authority by default. The Raydium incident, alongside the much larger Drift Protocol compromise in 2026, illustrates that Solana DeFi's operational-security posture has been a recurring weak point independent of the chain's program-level safety.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-raydium-hack-december-2022
  2. [02]defiteller.comhttps://defiteller.com/raydium-shares-more-details-on-its-recent-exploit
  3. [03]bitdegree.orghttps://www.bitdegree.org/crypto/news/decentralized-exchange-raydium-shares-additional-information-about-recent-hack

Related filings