One of Solana’s flagship decentralized exchanges became the latest victim of a crypto exploit on Wednesday, when an attacker drained more than $1.34 million from five dormant liquidity pools on Raydium, adding fresh urgency to an already bruising year for decentralized finance security.
The exploit targeted Raydium’s legacy AMM V3 program and drained roughly $1.34 million from five inactive liquidity pools. The affected pools — Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL — had been phased out following the deprecation of the Serum protocol in 2021.
The attacker bypassed validation checks in the old AMM V3 program, minted new liquidity provider tokens without depositing corresponding assets, then withdrew and converted the positions. The exploiter’s Solana address ends in “Bq33QVk.” In dollar terms, the attacker made off with nearly $900,000 in USDC, approximately $357,000 in SOL, and $86,000 worth of RAY.
The vulnerability originated from insufficient validation of the LP mint address within the Legacy AMM V3 program. Because the program failed to properly verify the LP mint, the attacker created a new mint and used it as the LP token, effectively bypassing the proportion checks that were meant to govern liquidity removal.
Raydium moved quickly to contain the fallout. Pseudonymous Raydium contributor 0xInfra confirmed the incident via X, stating that no current users were affected and could not have interacted with the deprecated pools through the platform’s UI since their phase-out. The project confirmed full compensation for all affected users will be handled directly through its treasury, covering the entire $1.34 million across all five impacted pools. Raydium’s core contributors also announced a comprehensive security review of all mainnet programs to verify that no similar logic flaws exist across any active code.
Solana Exchange Raydium Hit With $1.34 Million Exploit as DeFi Attacks Grow
A Ghost in the Machine
The incident raises a question that has become increasingly uncomfortable across DeFi: what happens to code that is officially retired but never fully removed from the blockchain?
The loss shows how old liquidity pools can remain financially dangerous long after a protocol’s user interface, SDKs, and main product routes move elsewhere. The affected contracts still held live assets on-chain despite being phased out of Raydium’s current application interface and active liquidity stack.
Because smart contracts are immutable, fully removing old code that still holds funds is never straightforward. This incident shows a real weakness in DeFi: old contracts can still become targets for attackers looking for edge cases. Raydium had transitioned to newer AMM versions, including V4 and V5, which utilize virtual supply mechanisms alongside stricter account verification protocols — but the deprecation of the legacy program did not wipe its on-chain footprint.
After stealing the assets on Solana, the funds were bridged to Ethereum and are now being laundered via Tornado Cash, according to blockchain investigator Specter. That exit path — bridge to Ethereum, deposit into the sanctioned mixer — has become a familiar playbook for DeFi exploiters seeking to complicate recovery efforts. US authorities sanctioned Tornado Cash in 2022, and its continued use in exploit laundering gives regulators ammunition to argue for stricter oversight of DeFi protocols.
Raydium (RAY) Price Chart
A Deteriorating Security Landscape
The Raydium hack arrives at a moment when DeFi’s security track record is under acute scrutiny. The sector has already lost over $750 million to hacks and exploits in 2026, driven largely by the approximately $292 million KelpDAO exploit and the $285 million Drift Protocol breach.
Drift Protocol lost $285 million on April 1 after a North Korean hacking group spent six months socially engineering its way into the Solana-based DEX, while KelpDAO’s LayerZero bridge was drained of $292 million in rsETH on April 19. Those two incidents alone caused 95% of April’s total DeFi damage, triggering a mass exit from DeFi and ranking among the top ten hacks since 2021.
What makes the current environment particularly alarming is the widening attack surface. Neither of the two biggest exploits of 2026 involved a smart contract vulnerability — code audits, formal verification, and bug bounty programs would not have prevented Drift or KelpDAO. Instead, social engineering, compromised infrastructure, and governance weaknesses have emerged as the dominant vectors.
Adding a new dimension to the threat landscape, AI is now playing a documented role in vulnerability discovery. Security researcher Taylor Hornby identified a critical four-year-old vulnerability in Zcash’s Orchard shielded pool on May 29 by running a custom auditing agent framework paired with Anthropic’s Claude Opus 4.8 model, then wrote a complete working exploit in a local test environment. The bug would have allowed an attacker to mint unlimited ZEC tokens inside the Orchard pool without detection, and its disclosure sent ZEC crashing more than 38% in a single day. While the Zcash disclosure was a white-hat find — and there is no evidence AI tools were used in the Raydium attack — it underscores the accelerating capability of AI-assisted auditing on both sides of the security equation.
Market Reaction and Outlook
Market reaction to the Raydium exploit was limited. RAY fell about 2% in the 24 hours after the disclosure and roughly 13% over the prior week, with the token remaining far below its all-time high.
For the broader DeFi ecosystem, the incident carries implications beyond the dollar figure. Legacy contracts, abandoned pools, and residual permission settings represent a class of risk that traditional code audits do not systematically address. As protocols evolve and migrate to newer architectures, the operational burden of cleanly decommissioning old infrastructure — not just removing UI access, but auditing and safely winding down on-chain contracts that still hold value — has become a pressing security obligation.
The Raydium incident is a clear reminder that “deprecated” does not always mean safe in the blockchain world.
Leave feedback about this