Skip to main content
5 min read

Raydium Exploit: $1.34M Drained
via Legacy AMM V3 LP Mint Validation Flaw

$1.34M was drained from Raydium's legacy AMM V3 pools after an LP mint validation flaw let an attacker bypass proportion checks in deprecated Solana liquidity pools.

AUTOSEC.DEVAUTOSEC.DEV
Raydium Exploit: $1.34M Drained via Legacy AMM V3 LP Mint Validation Flaw
  • Incident Date: June 10, 2026
  • Target: Raydium legacy AMM V3 program on Solana
  • Target Overview: Raydium is a Solana-based decentralized exchange and automated market maker. The reported exploit affected its legacy AMM V3 program, which Raydium said had been phased out in 2021 and was not reachable by current users through the Raydium UI.
  • Total Loss: Approximately $1.34 million, consisting of roughly 150,177 RAY, 5,603 SOL, and 893,700 USDC.
  • Reported Attacker Addresses: Solana address 4WnPeb...3QVk; Ethereum address 0x0EaB...E609.
  • Reported Fund Flow: PeckShieldAlert said the attacker was initially funded from KuCoin, bridged stolen funds from Solana to Ethereum, deposited 810 ETH into Tornado Cash, and sent 7 ETH to FixedFloat.
  • Attack Vector: Smart-contract logic flaw / LP mint validation failure / unauthorized liquidity removal

Incident Review & Technical Details

1. Attack Path

  1. Legacy liquidity was still reachable on-chain: The affected surface was Raydium's old AMM V3 program and associated deprecated liquidity pools. Raydium said current users were not affected and could not have interacted with these pools through the UI after their deprecation.
  2. The attacker supplied a counterfeit LP mint: According to Raydium official Infra, the legacy program did not properly verify the LP mint address. This allowed the attacker to create a new mint and present it as the LP token for the pool.
  3. Proportion checks were bypassed: Because the program trusted the wrong LP mint relationship, the attacker could bypass the intended proportionality checks that should have bound LP tokens to the real pool liquidity.
  4. Liquidity was removed without valid pool ownership: The exploit path resulted in unauthorized removal of liquidity from old Raydium AMM V3 pools. Public reporting placed the drained assets at roughly 150,177 RAY, 5,603 SOL, and 893,700 USDC.
  5. Funds moved cross-chain: PeckShieldAlert reported that the stolen value was bridged from Solana to Ethereum. The same alert said 810 ETH was deposited into Tornado Cash and 7 ETH was sent to FixedFloat.
  6. No key compromise was reported: Infra specifically ruled out a private-key compromise or authority-level issue and described the incident as a self-contained logic flaw in the deprecated program.

2. Impact Scope

  • Protocol-Level Loss: Public reporting and Raydium's initial review converged on approximately $1.34 million in stolen assets.
  • Affected Component: The affected component was the legacy AMM V3 program and old liquidity pools, not Raydium's current mainnet programs.
  • Affected Users: Raydium said current users were not affected and could not access the deprecated pools through the UI. The practical impact centered on users or liquidity positions still exposed to the old program.
  • Unaffected Components: Raydium said its other mainnet programs avoid this vulnerability by using virtual-supply-based proportion checks and by verifying the LP mint plus other relevant account information.
  • Recovery Commitment: According to public reporting of Infra's statement, affected users are expected to be fully compensated from Raydium's treasury.
  • Disclosure Gap: A full transaction list, affected pool list, patch diff, and final postmortem had not been identified in the reviewed sources at the time of writing.

3. Official Statements

  • Raydium / Infra: Infra said Raydium was aware of unauthorized liquidity removal from the legacy AMM V3 program, that the program had been phased out in 2021, and that current UI users were not affected.
  • Raydium / Infra on root cause: Infra attributed the issue to insufficient LP mint validation, explaining that the program failed to properly verify the LP mint address and therefore let the attacker use a newly created mint as the LP token.
  • PeckShieldAlert: PeckShieldAlert cited Specter and reported the $1.3 million Raydium drain, KuCoin-sourced initial funding, Solana-to-Ethereum bridging, and downstream movement into Tornado Cash and FixedFloat.

4. Investigation Progress

Raydium's initial public communication framed the incident as a contained logic flaw in a deprecated AMM program rather than an active-program compromise. The most important follow-up is whether any other deprecated pools or retired program paths still hold value and lack the account-validation standards used by Raydium's current programs.

Recommended response steps for Raydium-style Solana AMM systems:

  • Enumerate every deprecated program, market, pool, vault, LP mint, and authority that can still be called directly on-chain.
  • Freeze, migrate, or explicitly close retired pools that retain residual value.
  • Add invariant tests that bind pool state, LP mint, vault accounts, pool authority, token program, and proportion checks into one account-validation boundary.
  • Simulate counterfeit mint, wrong vault, wrong authority, and account-substitution attacks against every liquidity-removal path.
  • Monitor for direct calls to deprecated programs, abnormal LP burn or withdrawal attempts, newly created mints used near legacy pool calls, and cross-chain fund movement after Solana drains.
  • Publish a final postmortem with the vulnerable instruction path, affected pools, transaction hashes, compensation process, and the review performed across other legacy programs.

AUTOSEC.DEV Solution

The Raydium incident shows why deprecated Web3 programs still need production-grade validation, monitoring, and retirement controls while they hold residual liquidity.

  1. Secure Code Review - Raydium's reported failure centered on LP mint validation inside a retired AMM program. AUTOSEC.DEV reviews Solana and EVM smart-contract account validation, authority binding, pool-to-LP invariants, vault ownership checks, and legacy code paths that remain callable after product migration.
  2. Penetration Testing - The attack depended on presenting attacker-controlled account state to a live on-chain program. We build adversarial test scenarios for counterfeit mints, wrong account substitutions, stale pool state, deprecated program entrypoints, and unauthorized liquidity-removal paths before attackers discover them on mainnet.
  3. Incident Response - For recent DEX drains, AUTOSEC.DEV can support exploit reconstruction, affected-pool scoping, fund-flow tracing across Solana and Ethereum, exchange or bridge coordination, compensation evidence review, and post-incident regression-test design.

Reference