Raydium News: $1.34M Exploit Hits Deprecated Solana Liquidity Pools
Raydium, the Solana-based decentralized exchange, suffered a $1.34 million exploit on June 10, 2026, after an attacker abused five deprecated liquidity pools tied to its legacy AMM V3 program. The vulnerability had reportedly existed on-chain for about five years without being triggered.
The attacker, operating from a Solana wallet ending in “Bq33QVk,” stole roughly $900,000 in USDC, $357,000 in SOL, and $86,000 in RAY tokens.
After draining the pools, the stolen assets were bridged from Solana to Ethereum and then routed through Tornado Cash to obscure transaction history, significantly reducing any chance of recovery.
How Fake LP Tokens Were Used to Drain Real Liquidity
The exploit stemmed from a flaw in Raydium’s outdated AMM V3 smart contract logic, specifically weak validation of liquidity provider (LP) tokens. Normally, AMMs rely on LP tokens to represent a user’s share of a liquidity pool, and withdrawals require burning valid tokens linked to that pool.
However, the deprecated Raydium contract failed to properly verify the authenticity of LP token mints.
The attacker exploited this by creating a counterfeit SPL token mint unrelated to any real liquidity pool, minting a single fake LP token, and then using it to trigger withdrawal functions.
This process was repeated across five legacy pools—Sollet USDT–RAY, Sollet ETH–RAY, SRM–RAY, USDC–RAY, and RAY–SOL—resulting in the loss of approximately 150,177 RAY, 5,603 SOL, and 893,700 USDC in total.
A Raydium contributor known as 0xInfra confirmed on X that the exploit was caused by an isolated logic flaw rather than a private key compromise, meaning no risk extends to active contracts or current users.
Unlike the 2022 Raydium incident, which involved a private key breach and $4.4 million in losses, this exploit originated from dormant legacy code that remained technically callable on-chain despite being deprecated.
Cross-Chain Laundering via Tornado Cash
Blockchain investigators detected the exploit as funds were aggregated across the affected pools. The attacker then bridged assets from Solana to Ethereum and moved them through KuCoin and FixedFloat before finally depositing them into Tornado Cash.
The use of Tornado Cash effectively severed traceability, making further tracking or recovery extremely difficult.
Analysts confirmed that the wallet associated with “Bq33QVk” completed a full cross-chain exit strategy, avoiding liquidation on Solana-based exchanges.
At present, no funds have been reported frozen or intercepted by centralized platforms.
Impact on Users and Raydium Response
Importantly, no active users or live liquidity pools were affected. The exploited pools had already been deprecated and were not accessible through Raydium’s front-end interface.
Raydium confirmed that it will fully reimburse the stolen funds using its protocol treasury. The team is also formally retiring legacy AMM V3 contract IDs and conducting a broader security review across both active and outdated codebases. A reimbursement timeline has not yet been announced.
Despite the exploit, RAY saw a modest short-term increase of around 2% following the news, trading near $0.578. However, the token remains down approximately 7% over the past week and sits far below its all-time high of $16.83, reflecting broader weakness across the Solana ecosystem.
