A hacker has exploited a vulnerability in Raydium’s legacy AMM V3 program, draining approximately $1.34 million from five liquidity pools that had been deprecated since 2021. 

The Raydium team confirmed it was aware of the unauthorized liquidity removal and committed to covering losses.

The attack targeted code that the Solana-based decentralized exchange phased out five years ago. 

According to Infra, a Raydium team member, no current users were affected because the pools had been inaccessible through the platform’s interface for years. Infra also stated that “full compensation will be handled by Raydium’s treasury.”

How was the attacker able to exploit the deprecated pools?

According to Infra, “the vulnerability was caused by a self-contained logic flaw, not a key compromise or authority-level issue, so there is no propagation risk.”

Security researcher Param stated on X that the attacker found a flaw in Raydium’s 2021-era code. The attacker identified five abandoned liquidity pools still holding funds and generated fraudulent ownership receipts. 

Those fake LP tokens tricked the legacy smart contract into treating the attacker as a legitimate liquidity provider, allowing a full withdrawal of pool assets.

Blockchain security firm F12 corroborated the submissions, tracing the attack on-chain. The exploit relied on a fabricated LP token with a supply of just one unit. When the attacker submitted a withdrawal using that token, the old program released the entire pool balance.

Where did the attacker move the stolen funds to?

PeckShieldAlert reported that the attacker’s wallet was initially funded through KuCoin. After draining the pools on Solana, they bridged the stolen funds to Ethereum via deBridge, yielding roughly 810 ETH. 

The attacker then deposited the bulk of that haul into Tornado Cash, the mixing protocol frequently used to obscure transaction origins. They then moved 7 ETH through FixedFloat, according to PeckShieldAlert’s analysis.

According to the Raydium team, the exploiter’s address is 4WnPebowR4HHfumvNPaDjG6Pa5Hi1jxLm6xmmBq33QVk.

Legacy code, current risk

Raydium’s current programs are still active, per Infra. The protocol holds $796.56 million in total value locked on Solana and has processed over $1.1 billion in DEX volume in the past seven days, according to DefiLlama data. 

The AMM V3 program that was exploited is separate from the pools currently in use.

However, this is not the first time Raydium has suffered from a security breach. In December 2022, the protocol lost $4.4 million after a private key compromise.

The latest breach adds to what has become a near-daily check-in for crypto exploits in 2026. 

Cryptopolitan has previously reported that CertiK logged 60 confirmed security incidents in May alone, totaling $68.3 million in gross losses, the highest monthly incident count of the year. Code vulnerabilities accounted for over $45 million of those losses.

A few days before the Raydium exploit, attacks on Gnosis Pay and TesseraDAO cost projects at least $2.5 million, and the Flooring Protocol vulnerability spread to its fork, Asterisk, through shared code.

As of the end of May, the cumulative losses as a result of crypto exploits in 2026 approached $1.3 billion. Bridge-related attacks alone account for $340.7 million of that figure, PeckShield has reported.

The Raydium team stated that its core contributors are conducting a security review on all their mainnet programs.

While the leadership says they will compensate affected liquidity providers, Raydium has not disclosed exactly how and when they will get reimbursed.

The smartest crypto minds already read our newsletter. Want in? Join them.