Raydium loses $1.34M as forged LP mint drains 5 legacy AMM V3 pools

An attacker drained $1.34M in RAY, SOL and USDC from five deprecated Serum-era pools on Raydium's legacy AMM V3 program on June 10. Raydium's official statement, posted on X, says no current users were affected — the pools have been invisible in the UI and SDK since the 2021 phase-out — and pledges full reimbursement from the protocol's treasury. The mechanism was not a key compromise: the attacker minted a counterfeit SPL token, presented it to the program as an "LP token," and the legacy contract — which never validates the LP mint address against the pool — released the entire pool reserves on withdraw. Security firm GoPlus published the technical post-mortem.

What happened

Five AMM V3 pools — Sollet USDT–RAY, Sollet ETH–RAY, SRM–RAY, USDC–RAY and RAY–SOL — were drained in sequence on June 10. They had been retired from the Raydium frontend, SDK and dApp since 2021 when Serum collapsed, but the on-chain program ID remained callable.

GoPlus' post-incident analysis summarizes the primitive: the legacy withdraw instruction validated the supply of the LP token presented at call time, but not whether the mint address matched the pool's authorized LP mint. The attacker:

1. Deployed a custom SPL token mint, unrelated to any real Raydium pool.
2. Minted a single unit of that counterfeit token.
3. Called the legacy withdraw instruction against each pool, passing the fake mint and the 1 unit.
4. The program computed user share = held / total supply = 1 / 1 = 100% and released the full pool reserves to the attacker.

The sequence was repeated across all five pools.

Raydium's response on X: "No current users have been affected. The exploit only touched pools deprecated when Serum shut down in 2021. The team will fully reimburse losses from the treasury." Legacy AMM V3 program calls are being formally retired, and the team has announced a full mainnet and legacy-code security review.

On-chain trail

• Attacker wallet (reported by GoPlus, Cyvers and trackers): 4WnPebowR4HHfumvNPaDjG6Pa5Hi1jxLm6xmmBq33QVk on Solana.
• The wallet was funded out of KuCoin before the operation.
• After the drain, proceeds were bridged from Solana to Ethereum via deBridge, then split:
  • ≈ 810 ETH deposited into Tornado Cash.
  • ≈ 7 ETH routed through FixedFloat instant-swap.

We could not independently verify each hop transaction — the Solana and Ethereum hashes circulating in security-firm threads are best confirmed directly via Solscan and Etherscan against the attacker wallet above.

Numbers

- Total drained                  : ~$1.34M
   RAY                           : ~150,177 RAY (~$86K)
   SOL                           : ~5,603 SOL (~$357K)
   USDC                          : ~893,700 USDC
- Pools affected                 : 5 (deprecated AMM V3, retired 2021)
- Mechanism                      : forged LP mint, supply 1, withdraw → 100% share
- Active Raydium users affected  : 0 (per Raydium statement)
- Reimbursement                  : full, from Raydium protocol treasury
- Audit / review triggered       : mainnet + legacy code paths

USD figures are at the time of the exploit per GoPlus' breakdown; the per-token split is what was posted on the attacker wallet's outflows.

Skeptical attribution

No named actor has been linked to the wallet. The funding-from-KuCoin → drain → Tornado Cash + FixedFloat pattern is consistent with an operator deliberately denying clustering, not a signature of a specific identified group (no Lazarus tooling overlap, no published TRM/Chainalysis label at time of writing). Until a sourced labeler attaches a name, this is best read as an unattributed wallet familiar with Solana legacy code and the bridge-to-mixer exit pattern.

Impact

• Raydium LPs in current pools: untouched. CLMM and AMM V4 positions, which carry the vast majority of Raydium's TVL, were not in scope.
• Liquidity provided to the five drained pools in 2021: the funds are gone from the pool but Raydium has committed to repaying losses from the treasury. Anyone with stranded LP positions in the deprecated pools should track the team's reimbursement announcement on X.
• Raydium's RAY token: ~150K RAY moved from a protocol-controlled venue to an attacker wallet, then onto bridges. Whether this hits circulating sell pressure depends on how fast it's bridged and unwrapped; ~$86K is the at-event valuation.
• Other DEXs running un-retired legacy programs on Solana: the failure mode here — keeping a deprecated on-chain program live with no input-mint validation — is generalizable. Any project that left a 2021-era AMM program callable should re-audit, fast.

What to watch

1. Treasury reimbursement mechanics. Raydium has pledged full repayment but has not yet detailed the unit (RAY vs USDC vs ETH), the eligibility window, or the on-chain disbursement plan. Watch for the formal proposal.
2. Formal retirement of AMM V3 program IDs. The fix is to make the legacy program uncallable from the existing token vault authorities, or to migrate the vault authorities away from it. Either path requires a governance / multisig action; the on-chain tx will be the receipt.
3. The attacker wallet outflows. ~810 ETH in Tornado Cash will eventually exit. Watch downstream withdrawals tagged against the deposit and any CEX freezes referencing the attacker address.
4. GoPlus, Cyvers and SlowMist post-mortems. Expect a deeper write-up once Raydium publishes its own report, including whether the legacy program is finally being closed via Solana program upgrade authority.

Context — dormant code, live problem

This is the second 2026 incident where five-year-old DeFi code took the loss. The pattern: a protocol ships a new flagship (Raydium's CLMM, then AMM V4), the original program is silently deprecated from the frontend, the team's attention follows the new product — but the old program ID stays callable because nobody ever revoked its mint authority or migrated its vaults. Five years later, an attacker who reads the code instead of the docs finds a missing check.

It rhymes with the whitehat unlock of a 2016 Ethereum ICO contract for $2M in May, and more uncomfortably with how the Gravity Bridge $5.4M key-compromise drain ran through bridge code that hadn't been touched in production for years. The lesson is not new and not Solana-specific: deprecated does not mean off. Code on a live chain is live until its program authority is migrated or revoked. Anything else is wishful thinking dressed as risk management.

Sources:

• The Block — Raydium DEX says $1.34 million exploit hit retired AMM program, treasury to cover losses.
• crypto.news — Raydium promises full refund after $1.3M Solana pool exploit.
• The Crypto Times — Raydium Exploit Update: GoPlus Reveals How Hacker Stole $1.34M.
• Decrypt — Solana Exchange Raydium Hit With $1.34 Million Exploit as DeFi Attacks Grow.
• Cryptonews — Raydium Suffers $1.34M Exploit via Fake LP Tokens: Here's Why.
• On-chain entry point: attacker wallet 4WnP…Bq33QVk (Solscan).