Best crypto insights delivered straight to your inbox.
Raydium commits to cover losses as hacker drains $1.3M from legacy pools
- The attacker used fake LP tokens to impersonate a liquidity provider and withdraw entire pool balances.
- Raydium says current users and active pools were unaffected, as the vulnerable pools had been inactive since 2021.
- Raydium has pledged to fully reimburse affected liquidity providers and is reviewing all of its mainnet programs for vulnerabilities.
A hacker has exploited a vulnerability in Raydium’s legacy AMM V3 program, draining approximately $1.34 million from five liquidity pools that had been deprecated since 2021.
The Raydium team confirmed it was aware of the unauthorized liquidity removal and committed to covering losses.
The attack targeted code that the Solana-based decentralized exchange phased out five years ago.
According to Infra, a Raydium team member, no current users were affected because the pools had been inaccessible through the platform’s interface for years. Infra also stated that “full compensation will be handled by Raydium’s treasury.”
How was the attacker able to exploit the deprecated pools?
According to Infra, “the vulnerability was caused by a self-contained logic flaw, not a key compromise or authority-level issue, so there is no propagation risk.”
Security researcher Param stated on X that the attacker found a flaw in Raydium’s 2021-era code. The attacker identified five abandoned liquidity pools still holding funds and generated fraudulent ownership receipts.
Those fake LP tokens tricked the legacy smart contract into treating the attacker as a legitimate liquidity provider, allowing a full withdrawal of pool assets.
Blockchain security firm F12 corroborated the submissions, tracing the attack on-chain. The exploit relied on a fabricated LP token with a supply of just one unit. When the attacker submitted a withdrawal using that token, the old program released the entire pool balance.
Where did the attacker move the stolen funds to?
PeckShieldAlert reported that the attacker’s wallet was initially funded through KuCoin. After draining the pools on Solana, they bridged the stolen funds to Ethereum via deBridge, yielding roughly 810 ETH.
The attacker then deposited the bulk of that haul into Tornado Cash, the mixing protocol frequently used to obscure transaction origins. They then moved 7 ETH through FixedFloat, according to PeckShieldAlert’s analysis.
According to the Raydium team, the exploiter’s address is 4WnPebowR4HHfumvNPaDjG6Pa5Hi1jxLm6xmmBq33QVk.
Legacy code, current risk
Raydium’s current programs are still active, per Infra. The protocol holds $796.56 million in total value locked on Solana and has processed over $1.1 billion in DEX volume in the past seven days, according to DefiLlama data.
The AMM V3 program that was exploited is separate from the pools currently in use.
However, this is not the first time Raydium has suffered from a security breach. In December 2022, the protocol lost $4.4 million after a private key compromise.
The latest breach adds to what has become a near-daily check-in for crypto exploits in 2026.
Cryptopolitan has previously reported that CertiK logged 60 confirmed security incidents in May alone, totaling $68.3 million in gross losses, the highest monthly incident count of the year. Code vulnerabilities accounted for over $45 million of those losses.
A few days before the Raydium exploit, attacks on Gnosis Pay and TesseraDAO cost projects at least $2.5 million, and the Flooring Protocol vulnerability spread to its fork, Asterisk, through shared code.
As of the end of May, the cumulative losses as a result of crypto exploits in 2026 approached $1.3 billion. Bridge-related attacks alone account for $340.7 million of that figure, PeckShield has reported.
The Raydium team stated that its core contributors are conducting a security review on all their mainnet programs.
While the leadership says they will compensate affected liquidity providers, Raydium has not disclosed exactly how and when they will get reimbursed.
If you're reading this, you’re already ahead. Stay there with our newsletter.
FAQs
How much was stolen in the Raydium exploit?
Approximately $1.34 million was drained from five deprecated liquidity pools on Raydium's legacy AMM V3 program, which had been phased out since 2021.
Are current Raydium users at risk?
No. Raydium's team confirmed that the exploit affected only legacy pools that were no longer accessible through the platform's interface, and that no current users were impacted.
Where did the stolen funds go?
The attacker bridged the stolen assets from Solana to Ethereum via deBridge, converting them to roughly 810 ETH, and deposited the majority into Tornado Cash with a smaller amount sent through FixedFloat.
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.
Hannah Collymore
Hannah is a writer and editor with nearly a decade of blog writing and event reporting experience in the crypto space. At Cryptopolitan, Hannah contributes to the news page, reporting and analyzing the latest developments in DeFi, RWA, crypto regulation, AI and frontier tech industries. She graduated from Arcadia university with a degree in Business Administration.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)