Home
News
Details

Raydium Reports $1.34M Exploit on Legacy AMM V3 Program

iconCryptoBriefing
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
This is the logo of the coin.
SOL
$68.171.23%
This is the logo of the coin.
RAY
$0.60741.94%
This is the logo of the coin.
USDC
$1.00030%
This is the logo of the coin.
KCS
$6.9582.5%
AI summary iconSummary

expand icon
Raydium reported a $1.34M DeFi exploit in its legacy AMM V3 program, impacting five old liquidity pools from 2021. The on-chain news revealed 150,177 RAY, 5,603 SOL, and 893,700 USDC were stolen. The flaw allowed mint validation bypass. Funds were traced to KuCoin, with 810 ETH routed via Tornado Cash. Raydium will cover losses from its treasury and conduct a full security audit.

Raydium, one of Solana’s largest decentralized exchanges, disclosed an exploit in its legacy Automated Market Maker V3 program that siphoned roughly $1.34 million from five deprecated liquidity pools. The attack targeted pools that had been phased out back in 2021, meaning no active users or current Raydium interfaces were affected.

What was taken and how

The drained assets included approximately 150,177 RAY tokens, 5,603 SOL tokens, and around 893,700 USDC. The five affected pools were Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL, all of which had been deprecated after the Serum protocol was sunset in 2021.

The root cause was a self-contained logic flaw in the liquidity provider mint validation process. The attacker created a fraudulent LP mint and used it to bypass the security checks that should have blocked the withdrawal. The pools were no longer supported within Raydium’s main software development kit or its decentralized application front end, but the smart contracts themselves were still live on-chain with real assets locked inside.

Advertisement

Following the money

The attacker’s wallet was traced back to KuCoin, the centralized exchange, suggesting that’s where the initial funding for the exploit originated. After the drain, roughly 810 ETH was funneled through Tornado Cash, the privacy-focused Ethereum mixer.

Raydium’s response and the bigger picture

Raydium moved quickly to confirm that it would compensate the lost assets directly from its treasury. The exchange also announced a comprehensive security review of all its mainnet programs.

Raydium’s transition away from these older pools was driven by the deprecation of Serum, the on-chain order book protocol that was once central to Solana’s DeFi ecosystem. Raydium has since migrated to newer program versions including V4 and V5, which utilize virtual supply mechanisms alongside stricter account verification protocols. But the old contracts apparently weren’t fully wound down.

Raydium’s current pools, its CLMM (Concentrated Liquidity Market Maker) and newer AMM versions, were not affected. The treasury backstop means nobody who had residual funds in the deprecated pools should be out of pocket.

US authorities sanctioned Tornado Cash in 2022, and its continued use in exploit laundering gives regulators ammunition to argue for stricter oversight of DeFi protocols.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.