Raydium Loses $1.34 Million as Attacker Drains Three Token Pools on Solana

Raydium got hit. The Solana-based decentralized exchange lost $1.34 million after an attacker exploited a flaw buried inside a program the platform had already retired years ago.

The breach pulled 150,000 RAY tokens, roughly 5,600 SOL, and close to 900,000 USDC out of three liquidity pools — RAY-SOL, USDC-RAY, and SRM-RAY. Raydium traced the damage back to its old AMM V3 program, which the exchange had phased out back in 2021. The core problem was inadequate validation of liquidity provider mints inside that legacy code. Basically, the attacker found a way to generate a new mint address that the system accepted as a legitimate LP token, which let them sidestep the checks meant to control how assets move through Raydium’s pools. It’s the kind of flaw that probably sat dormant for years without anyone noticing, partly because the program was already invisible to users — you can’t even reach it through Raydium’s current interface.

Not accessible. Not maintained. But still dangerous, apparently.

How the Attacker Moved the Money

PeckShield tracked what happened to the stolen funds after the drain. The attacker didn’t sit still. Assets moved first through KuCoin, then got bridged from Solana over to Ethereum — a pretty common cross-chain hop when someone’s trying to put distance between themselves and the original theft. Once on Ethereum, the trail splits: 810 ETH went into Tornado Cash, and another 7 ETH landed at FixedFloat. Both platforms are known for making fund flows hard to follow. Tornado Cash in particular has been a go-to for obfuscating transaction history, which is why it’s drawn so much regulatory attention over the past few years. The attacker’s use of cross-chain bridging on top of a mixer makes tracing the full path of those funds a serious challenge for anyone trying to recover them.

No public recovery plan from Raydium so far. Unclear if one is coming.

The broader pattern here isn’t new. DeFi exploits that target legacy or retired code have shown up before across multiple chains. Old programs don’t always get cleanly decommissioned — sometimes they linger in the background, technically live on-chain even when no front-end points to them anymore. That gap between “retired from the interface” and “actually removed from the chain” is exactly the kind of thing attackers look for. It’s murky territory, and it’s probably more common than most protocols would like to admit.

Read also: Ethereum Stuck Below $1.9K as Fibonacci Cluster Blocks Any Real Recovery

Raydium’s Active Programs and Ongoing Reviews

Raydium was quick to say its active programs weren’t touched. The exchange told users that current mainnet systems are secure and that core contributors are running security reviews across all live programs right now. That’s the right move after something like this — even if the exploit came from dead code, you’d want to know whether any similar validation gaps exist anywhere else in the stack.

And the LP mint validation issue is worth paying attention to. If the attacker could create a fake mint that passed as a legitimate LP token in the old V3 program, the question becomes whether any analogous logic exists in newer code. Raydium hasn’t said. The reviews are ongoing, and no timeline has been given for when they’ll wrap up.

RAY token holders are probably watching closely. Losing 150,000 RAY from pools isn’t a trivial amount, and even if the active systems are fine, the optics of a $1.34 million drain from a protocol people trust with liquidity are hard to shake quickly. Confidence in a DEX depends heavily on how it handles moments like this — both the speed of the response and the honesty of the communication.

Raydium moved fast on communication, at least. The exchange identified the breach, named the source, and made clear that the flaw was in retired infrastructure rather than anything currently running. That transparency matters in DeFi, where rumors can move faster than facts and a vague statement can trigger a bigger panic than the exploit itself.

Related: Humanity Protocols $36M Hack Drains 341 Million H Tokens Across Two Chains

What it didn’t do — at least not publicly — is say anything about recovering the stolen funds. With 810 ETH already inside Tornado Cash, recovery seems unlikely in any near-term sense. That’s not unique to Raydium; most DeFi exploits that reach a mixer end up as a write-off for the affected protocol or its users.

The attacker bridged assets across two chains, ran them through a mixer, and split the trail. Raydium’s security reviews of mainnet programs are still ongoing.

Hub: USDC price, news, and analysis