Solana-based decentralized exchange Raydium confirmed an exploit targeting its legacy AMM V3 program removed roughly $1.34 million in assets from inactive liquidity pools. The attack affected RAY-SOL, USDC-RAY, and SRM-RAY pairs, draining approximately 150,000 RAY, 5,600 SOL, and nearly 900,000 USDC. Raydium attributed the vulnerability to insufficient validation of LP mints in the legacy program, which had been phased out in 2021. The protocol stated current mainnet programs were unaffected and committed to full reimbursement from its treasury. The incident highlights ongoing security risks from retired smart contracts that remain on-chain even after protocols discontinue front-end support.
Raydium Identifies Insufficient LP Mint Validation as Exploit Cause
Raydium said the vulnerability stemmed from insufficient validation of LP mints, which allowed the attacker to bypass intended proportion checks. The targeted automated market maker program had been phased out in 2021 and had not been accessible through the exchange's interface since then. The protocol stated its SDK and DAPP do not support mainnet interactions with the legacy AMM V3 pools.
The affected pools included RAY-SOL, USDC-RAY, and SRM-RAY pairs. Early estimates showed the attacker drained around 150,000 RAY, 5,600 SOL, and nearly 900,000 USDC. The exploit did not affect Raydium's current mainnet programs, according to the protocol. The incident was not tied to active front-end trading or current liquidity infrastructure. The attacker targeted older pool contracts that remained on-chain even though they were no longer supported by Raydium's main user interface.
Raydium Commits Treasury Funds for Full User Reimbursement
Raydium said affected users will be fully reimbursed from its treasury. The protocol's decision to compensate affected users from its treasury reduces the immediate financial damage for liquidity providers. Full reimbursement limits the chance that a relatively small exploit becomes a larger reputational issue for the protocol.
The reimbursement plan addresses decentralized exchange dependence on liquidity provider trust. The treasury response provides compensation for users whose assets were removed from the inactive pools. Raydium's commitment to cover losses from protocol funds was announced following the exploit disclosure.
RAY Token Traded Higher Following Exploit Disclosure
Raydium's native RAY token traded higher on the day of the exploit disclosure. The market reaction appeared limited, suggesting investors did not view the exploit as a threat to the protocol's active trading infrastructure. That reaction likely reflects the limited scope of the incident, the legacy nature of the affected program, and the treasury-backed compensation plan.
The loss amount, while material for affected users, was small relative to larger DeFi exploits and was quickly paired with a full reimbursement commitment. That combination helped prevent a broader confidence shock. Users were told current programs were unaffected, official interfaces did not support the legacy pools, and treasury funds would cover losses.
Raydium Confirms Current Mainnet Programs Under Security Review
Raydium said its current mainnet programs are undergoing a separate security review. That step gives the protocol a chance to separate legacy risk from live infrastructure and reassure users that active markets are not exposed to the same vulnerability. The protocol stated the security review covers programs currently in use on its mainnet deployment.
The distinction matters because the incident was not tied to active front-end trading or current liquidity infrastructure. Raydium said the targeted automated market maker program had been phased out in 2021. The protocol confirmed its SDK and DAPP do not support mainnet interactions with the legacy AMM V3 pools, which limits exposure through official channels.
FAQ
What caused the Raydium exploit that removed $1.34 million in assets?
Raydium said the vulnerability stemmed from insufficient validation of LP mints in its legacy AMM V3 program, which allowed the attacker to bypass intended proportion checks. The targeted automated market maker program had been phased out in 2021 and had not been accessible through the exchange's interface since then.
How did Raydium respond to users affected by the legacy pool exploit?
Raydium committed to full reimbursement of affected users from its treasury. The protocol said users whose assets were removed from the inactive RAY-SOL, USDC-RAY, and SRM-RAY pools will be fully compensated.
Why did the RAY token trade higher after the exploit disclosure?
The market reaction appeared limited because the exploit affected inactive pools tied to an old AMM program rather than Raydium's current trading system. Investors did not view the exploit as a threat to the protocol's active trading infrastructure, given the limited scope, legacy nature of the affected program, and treasury-backed compensation plan.
