Skip to content
Est. MMXXVIVol. VI · № 286RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 286Smart Contract Bug

Raydium Legacy AMM V3 Fake-LP Exploit

An attacker drained roughly $1.34M from five dormant Raydium AMM V3 pools on Solana by minting a fake LP token that bypassed the deprecated program's withdrawal checks.

Date
Victim
Raydium
Chain(s)
Solana
Status
Funds Stolen

On June 10, 2026, Raydium — one of Solana's largest decentralized exchanges — lost approximately $1.34 million after an attacker drained five dormant AMM V3 liquidity pools that had sat inactive since 2021. The flaw lived entirely in deprecated code: active pools, the CLMM, and Raydium's newer AMM versions were untouched, and no current user could have reached the affected pools through the UI.

What happened

The exploited pools belonged to Raydium's legacy AMM V3 program, which the protocol phased out after the collapse of the Serum on-chain order book. The five pools hit were Sollet USDT–RAY, Sollet ETH–RAY, SRM–RAY, USDC–RAY, and RAY–SOL.

The root cause was insufficient validation of the LP mint address in the retired program. Because the legacy code never confirmed that the LP token presented was the pool's genuine mint, the attacker created a fake LP mint, passed it off as the real one, and bypassed the proportion checks that govern how much a withdrawer can remove. With those checks short-circuited, the attacker pulled out roughly 150,177 RAY, 5,603 SOL, and 893,700 USDC. Raydium's current mainnet programs use a virtual-supply mechanism and verify LP mints alongside other account data, which prevents this class of attack.

Aftermath

  • Raydium said it would cover all losses from its treasury, so affected liquidity (long since stranded in deprecated pools) would be made whole rather than absorbed by users.
  • On-chain investigators PeckShield and Specter traced the attacker: the wallet was initially funded through KuCoin, then bridged the proceeds from Solana to Ethereum.
  • From Ethereum, the attacker deposited 810 ETH into Tornado Cash and sent 7 ETH to FixedFloat, a laundering pattern consistent with an actor seeking to break the on-chain trail. The stolen funds themselves were not recovered.

Why it matters

The Raydium exploit is a clean example of a recurring catalogue theme: deprecated contracts remain live attack surface long after they are abandoned. The same dynamic drove the 1inch resolver bug, where a legacy Fusion v1 contract was the entry point, and the Aevo incident. Code that is no longer surfaced in a front end is not the same as code that is no longer exploitable — as long as the program is deployed and holds value, an attacker who reads the source can still call it directly.

It is also Raydium's second catalogued incident, after the December 2022 admin-key trojan drained $4.4M from its pools. The two share little technically — one was a stolen private key, this one a validation flaw — but together they underscore how much legacy surface accumulates around a long-lived DEX. The laundering path through Tornado Cash is by now the default playbook for exploiters of sub-$10M sums, the same route taken after Cetus, and it is why treasury reimbursement, not on-chain recovery, was the only realistic remedy here.

Sources & on-chain evidence

  1. [01]ccn.comhttps://www.ccn.com/news/crypto/raydium-exploit-legacy-pools-solana/
  2. [02]crypto.newshttps://crypto.news/raydium-promises-full-refund-after-1-3m-solana-pool-exploit/
  3. [03]cryptonews.comhttps://cryptonews.com/news/raydium-exploit-fake-lp-tokens-deprecated-solana-pools/
  4. [04]cryptotimes.iohttps://www.cryptotimes.io/2026/06/10/old-code-new-damage-raydium-hit-by-1-34m-legacy-pool-hack/
  5. [05]99bitcoins.comhttps://99bitcoins.com/news/altcoins/raydium-dex-hack-134m-dormant-pools/

Related filings