Raydium News: $1.34M Exploit Hits Deprecated Solana AMM Pools
Raydium, a Solana-based decentralized exchange, was drained of roughly $1.34 million on June 10, 2026, after an attacker exploited five deprecated liquidity pools tied to its legacy AMM V3 program. The vulnerability had reportedly been dormant on-chain for several years.
The attacker, associated with a Solana wallet ending in “Bq33QVk,” stole approximately $900,000 in USDC, $357,000 in SOL, and $86,000 in RAY tokens.
After the exploit, funds were bridged from Solana to Ethereum and then routed through Tornado Cash, making the transaction flow difficult to trace and reducing the chances of recovery.
How the Exploit Worked: Fake LP Tokens and Missing Validation
The root cause was a smart contract flaw in Raydium’s outdated AMM V3 system, specifically weak validation of liquidity provider (LP) tokens.
Normally, LP tokens represent a user’s share in a liquidity pool and must be verified before any withdrawal is approved.
In this case, the legacy contracts failed to properly confirm that LP tokens belonged to legitimate pool mints.
The attacker exploited this by deploying a fake SPL token mint, creating a single counterfeit LP token, and using it to trigger withdrawal logic in the contract.
This method was repeated across five inactive pools—Sollet USDT–RAY, Sollet ETH–RAY, SRM–RAY, USDC–RAY, and RAY–SOL—leading to total losses of about 150,177 RAY, 5,603 SOL, and 893,700 USDC.
Raydium contributor 0xInfra confirmed the issue was a self-contained logic bug rather than a private key compromise, meaning active pools and current users were not affected.
Unlike the 2022 exploit that resulted from a stolen private key and caused around $4.4 million in losses, this incident stemmed from legacy code that remained technically accessible after being deprecated.
Cross-Chain Exit Through Tornado Cash
Investigators tracked the attack as funds were consolidated across the affected pools. The attacker then bridged assets from Solana to Ethereum and moved them through KuCoin and FixedFloat before depositing the final proceeds into Tornado Cash.
Once inside Tornado Cash, transaction-level tracking effectively ended, making further tracing extremely difficult.
Analysis of the wallet ending in “Bq33QVk” confirms a full cross-chain laundering route with no reliance on Solana-native exchanges for liquidation.
At present, no funds have been reported frozen or recovered.
User Impact and Protocol Response
No active users were impacted, as the exploited pools had already been deprecated and were not accessible through Raydium’s user interface.
Raydium has committed to fully reimbursing the stolen funds using its protocol treasury. It is also formally retiring the legacy AMM V3 program IDs and conducting a broader security review of both active and deprecated contracts. A repayment timeline has not yet been announced.
Following the incident, the RAY token saw a brief 2% increase to around $0.578. However, it remains down roughly 7% over the past week and is still far below its all-time high of $16.83, reflecting continued weakness across the Solana ecosystem.
