Raydium reports $1.34M exploit on legacy AMM V3 program

Raydium, one of Solana’s largest decentralized exchanges, disclosed an exploit in its legacy Automated Market Maker V3 program that siphoned roughly $1.34 million from five deprecated liquidity pools. The attack targeted pools that had been phased out back in 2021, meaning no active users or current Raydium interfaces were affected.

What was taken and how

The drained assets included approximately 150,177 RAY tokens, 5,603 SOL tokens, and around 893,700 USDC. The five affected pools were Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL, all of which had been deprecated after the Serum protocol was sunset in 2021.

The root cause was a self-contained logic flaw in the liquidity provider mint validation process. The attacker created a fraudulent LP mint and used it to bypass the security checks that should have blocked the withdrawal. The pools were no longer supported within Raydium’s main software development kit or its decentralized application front end, but the smart contracts themselves were still live on-chain with real assets locked inside.

Following the money

The attacker’s wallet was traced back to KuCoin, the centralized exchange, suggesting that’s where the initial funding for the exploit originated. After the drain, roughly 810 ETH was funneled through Tornado Cash, the privacy-focused Ethereum mixer.

Raydium’s response and the bigger picture

Raydium moved quickly to confirm that it would compensate the lost assets directly from its treasury. The exchange also announced a comprehensive security review of all its mainnet programs.

Raydium’s transition away from these older pools was driven by the deprecation of Serum, the on-chain order book protocol that was once central to Solana’s DeFi ecosystem. Raydium has since migrated to newer program versions including V4 and V5, which utilize virtual supply mechanisms alongside stricter account verification protocols. But the old contracts apparently weren’t fully wound down.

Raydium’s current pools, its CLMM (Concentrated Liquidity Market Maker) and newer AMM versions, were not affected. The treasury backstop means nobody who had residual funds in the deprecated pools should be out of pocket.

US authorities sanctioned Tornado Cash in 2022, and its continued use in exploit laundering gives regulators ammunition to argue for stricter oversight of DeFi protocols.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.