Raydium Hit With $1.34M Exploit via Fake LP Tokens on Deprecated Solana Pools
Raydium, the Solana-based decentralized alternate, was drained of $1.34 million on June 10, 2026, when an attacker exploited 5 deprecated liquidity swimming pools from its legacy AMM V3 program, a sensible contract vulnerability that had sat dormant on-chain for 5 years.
The attacker, whose Solana tackle ends in ‘Bq33QVk,’ made off with roughly $900,000 in USDC, $357,000 in SOL, and $86,000 in RAY tokens.
Raydium confirms $1.34M exploit on legacy AMM V3 swimming pools. No present customers affected; full compensation from treasury. pic.twitter.com/tqmKATA2tH
— Solana Hub (@SolanaHub_) June 10, 2026
After draining the swimming pools, the exploiter bridged all funds from Solana to Ethereum via a cross-chain bridge, then deposited them into Tornado Cash to obscure the path, an ordinary cross-chain laundering sequence that leaves restoration prospects slim.
Discover: The Best Crypto to Diversify Your Portfolio
The LP Mint Validation Flaw: How Fake Tokens Emptied Real Pools
The root trigger was a sensible contract vulnerability in Raydium’s legacy AMM V3 program, a DeFi exploit enabled by inadequate LP token validation. In any customary automated market maker, liquidity pool shares are represented by LP tokens that observe a supplier’s proportional stake. When funds are withdrawn, the contract verifies the LP tokens being burned match the pool’s reliable mint.
Raydium’s deprecated AMM V3 program didn’t carry out that verify. The attacker created a pretend SPL token mint unrelated to any actual Raydium liquidity pool, minted a single unit of that counterfeit LP token, then known as the legacy withdraw perform.
The outdated contract handled the attacker as a 100% LP shareholder and launched all the pool’s reserves.
The sequence was repeated throughout all 5 deprecated swimming pools, Sollet USDT–RAY, Sollet ETH–RAY, SRM–RAY, USDC–RAY, and RAY–SOL, draining roughly 150,177 RAY, 5,603 SOL, and 893,700 USDC in whole.
Pseudonymous Raydium contributor 0xInfra confirmed on X that the assault was brought on by “a self-contained logic flaw” and explicitly dominated out any key compromise or authority-level subject, that means no propagation threat exists to present Raydium applications.
The December 2022 Raydium hack, a roughly $4.4 million loss brought on by a non-public key theft – had pushed the crew to harden operational safety and migrate to audited contracts.
The June 2026 incident is a structurally completely different failure: not an operational breach, however a legacy codebase left callable on-chain with actual belongings nonetheless sitting inside it.
Tornado Cash Exit: Funds Bridge to Ethereum, Trail Goes Cold
On-chain investigators flagged the exploit in actual time because the attacker aggregated USDC, SOL, and RAY throughout the 5 drained swimming pools earlier than shifting cross-chain.
The full stability was bridged from Solana to Ethereum, then routed by means of KuCoin and FixedFloat earlier than touchdown in Tornado Cash, the privateness protocol that is still the exit ramp of selection for DeFi exploit proceeds.
Community analysts monitoring the pockets ending in ‘Bq33QVk’ confirmed the whole cross-chain exit, noting the attacker didn’t try and liquidate funds by means of Solana-native venues.
Once inside Tornado Cash, transaction-level tracing breaks down. No funds are reported frozen or flagged by centralized exchanges right now.
No Active Users Affected, Raydium Treasury to Cover Losses
The most vital speedy truth for Raydium customers: no lively accounts or present swimming pools have been touched. “No present customers of Raydium are affected by this exploit or would have been capable of work together with these swimming pools by means of the UI since their deprecation,” 0xInfra said.
The deprecated AMM V3 swimming pools have been invisible within the front-end and inaccessible by means of regular consumer flows.
Raydium confirmed it’ll repay all stolen funds in full utilizing its protocol treasury. Legacy AMM V3 program IDs are being formally retired to stop additional calls, and the crew has launched a complete safety assessment of all mainnet and legacy code paths. The reimbursement timeline has not been specified publicly.
RAY token is up round 2% within the 24 hours following the incident, buying and selling at $0.578. The token has shed 7% over the previous week amid broader Solana ecosystem weakness and sits 96.6% beneath its all-time high of $16.83.
Discover: The Best Token Presales
The submit Raydium Hit With $1.34M Exploit via Fake LP Tokens on Deprecated Solana Pools appeared first on Cryptonews.
