Raydium Drained for $1.34M Through a Five-Year-Old Code Flaw
An attacker minted a fake LP token and drained five deprecated Raydium pools for $1.34 million; the team says no active users were affected.
Someone emptied five of Raydium's abandoned liquidity pools for $1.34 million on June 10, exploiting a flaw in the Solana DEX's legacy AMM V3 program that had sat callable on-chain for five years. The haul broke down to roughly $900,000 in USDC, $357,000 in SOL, and $86,000 in RAY. The attacker's wallet ends in 'Bq33QVk.'
The bug was almost embarrassingly simple. Raydium's deprecated AMM V3 program never checked whether the LP tokens being burned actually belonged to the pool. So the attacker created a fake SPL token mint, minted a single unit of it, and called the old withdraw function. The contract read that one counterfeit token as a 100% stake and released the full reserves. Then it ran the same move across all five pools, pulling about 150,177 RAY, 5,603 SOL, and 893,700 USDC in total.
Pseudonymous contributor 0xInfra called it "a self-contained logic flaw" and ruled out any key compromise or authority-level issue, which means current Raydium programs are not exposed. The drained pools had been invisible in the front-end since their retirement, so no active account could have interacted with them. That sets this apart from December 2022, when a private key theft cost Raydium around $4.4 million. This time the codebase itself was the breach.
The money is effectively gone. The attacker bridged everything from Solana to Ethereum, routed it through KuCoin and FixedFloat, and deposited it into Tornado Cash. No funds have been frozen or flagged by any exchange. Once inside the mixer, transaction-level tracing breaks down, and the attacker never bothered trying to cash out through Solana-native venues.
Raydium says it will repay all the stolen funds from its protocol treasury, though it has not given a timeline. It is formally retiring the legacy AMM V3 program IDs so the contracts can no longer be called, and a wider review of mainnet and legacy code paths is underway. RAY was up about 2% in the 24 hours after the incident at $0.578, still down 7% on the week and 96.6% below its $16.83 record.
No comments yet. Be the first to weigh in.