Raydium Loses $1.3M in Legacy Pool Exploit, Treasury Covers Losses

Raydium Exploit Drains $1.3 Million From Legacy Solana Pools – Treasury to Cover Losses While Active Users Remain Unaffected

Key Takeaways

Raydium lost approximately $1.3 million after an exploit targeted five legacy liquidity pools on Solana.
The attacker used a fake mint address to exploit a validation flaw in retired AMM code.
Stolen assets included 150,177 RAY, 5,603 SOL, and 893,700 USDC.
Raydium confirmed that current users and active pools were not affected and that the treasury will cover all losses.
RAY fell less than 1 percent and SOL declined nearly 2 percent following the incident.

Exploit Targeted Retired Raydium AMM V3 Program

Raydium experienced a security breach on Wednesday that resulted in the loss of roughly $1.3 million in crypto assets. According to statements from the project and findings by blockchain security firm PeckShield and on chain investigator Specter, the exploit affected five legacy liquidity pools on Solana.

The vulnerability was linked to a deprecated automated market maker program, identified as Raydium AMM V3, which had been phased out in 2021. Raydium stated that the affected pools were tied to this retired code and were no longer accessible to users through the platform interface.

The attacker exploited a validation flaw in the dormant pools. Specter reported that a fake mint address was used to bypass checks and withdraw liquidity without detection. Because the pools were no longer active within the main user interface, current liquidity providers and traders could not interact with them.

Raydium publicly confirmed that no active pools were impacted and that no current users were affected by the incident.

Breakdown of Stolen Assets and Fund Movements

The stolen assets included approximately 150,177 RAY tokens, 5,603 SOL, and 893,700 USD Coin. After extracting the funds, the attacker moved them across chains.

PeckShield reported that the attacker was initially funded through KuCoin. The stolen assets were later bridged from Solana to Ethereum. On Ethereum, 810 ETH were deposited into Tornado Cash, while another 7 ETH were sent to FixedFloat.

Tornado Cash, a crypto mixer, was removed from the US Treasury sanctions list in March 2025. Mixers are commonly used in exploit cases to obscure transaction trails and make asset tracing more difficult. According to PeckShield, the majority of the bridged funds were routed through Tornado Cash.

The cross chain movement and subsequent mixing complicate recovery efforts. At the time of reporting, no further updates on potential fund recovery had been disclosed.

Raydium Treasury to Reimburse Losses

Raydium stated that it will fully reimburse the impacted assets using its treasury. The team emphasized that the exploit involved a previously phased out program and that no active user funds were exposed.

In its public communication, Raydium clarified that users would not have been able to interact with the affected pools through the platform interface. The project described the exploit as an unauthorized removal of liquidity from legacy code rather than from active markets.

This is not the first time Raydium has faced a security incident. In December 2022, an admin key compromise led to drained active pools. At that time, a governance vote approved the use of buyback fees and vested team tokens to compensate affected liquidity providers.

In the current case, the compensation will come directly from the treasury, according to the team.

Market Reaction Remains Limited

Despite the reported loss, market reaction was relatively muted. The price of RAY declined by less than 1 percent over the previous 24 hours, trading near $0.57 at the time referenced in the source material.

Solana also recorded a modest decline, with SOL falling nearly 2 percent to approximately $63.88.

The limited price movement suggests that traders differentiated between legacy code exposure and active protocol risk. Because the exploit did not affect current pools or user accessible contracts, the broader Solana ecosystem and Raydium’s ongoing operations remained operational.

For users of decentralized exchanges and liquidity protocols, the incident highlights how retired smart contract code can remain on chain and potentially vulnerable even after it has been phased out in practice.

Security Implications for DeFi Users

The exploit demonstrates that dormant smart contracts may still present risks if not fully decommissioned. Although Raydium had phased out the AMM V3 program in 2021, the underlying contracts remained accessible on chain.

Blockchain security firms and independent investigators were able to trace the attacker’s movements across Solana and Ethereum in near real time. However, once funds are bridged and routed through mixers, attribution and recovery become more complex.

For users evaluating decentralized finance platforms, incidents involving legacy code can influence how projects manage upgrades, contract deprecation, and treasury risk coverage. In this case, Raydium’s response focused on isolating the impact to retired contracts and committing treasury funds to cover losses.

Our Assessment

Raydium lost approximately $1.3 million after an attacker exploited a validation flaw in five retired liquidity pools tied to its phased out AMM V3 program. Active users and current pools were not affected, and the project committed to covering all losses through its treasury. The stolen funds were bridged from Solana to Ethereum and largely routed through Tornado Cash, complicating potential recovery efforts. Market prices for RAY and SOL showed limited short term impact following the incident.