Raydium core contributor Infra confirmed Wednesday that an attacker drained ~$1.34M from the legacy AMM V3 program, a contract phased out in 2021. Current users were unaffected, the treasury will cover full compensation, and the root cause was a self-contained LP-mint validation flaw. PeckShield earlier traced the laundering across KuCoin, a Solana-to-Ethereum bridge, Tornado Cash and FixedFloat.
Solana DEX Raydium confirmed Wednesday that an attacker drained approximately $1.34 million from its legacy AMM V3 program, a deprecated contract phased out in 2021, with current users unaffected and full compensation coming from the protocol treasury.
Raydium core contributor Infra disclosed the breakdown on X: the attacker took roughly 150,177 RAY, 5,603 SOL, and 893,700 USDC across five legacy pools (Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, RAY-SOL). The exploiter’s address, `4WnPebowR4HHfumvNPaDjG6Pa5Hi1jxLm6xmmBq33QVk`, was the sole entry point. The protocol said no current users could have reached the affected pools through the UI since the contract’s deprecation, and that current Raydium programs are unaffected.
The Root Cause
The vulnerability was a self-contained logic flaw in the deprecated AMM V3 program, not a key compromise or authority-level issue, according to Raydium. The contract did not properly verify the LP mint address, allowing the attacker to create a new mint and use it as the LP token, bypassing the program’s proportion checks. The contract had previously been used only to place orders on the now-defunct Serum order book, and its associated liquidity had remained idle following Serum’s collapse.
All other Raydium mainnet programs use a virtual supply mechanism and verify the LP mint along with related account information, preventing this class of vulnerability, the team said. Raydium core contributors are conducting a security review of all mainnet programs.
The Laundering Chain
Within hours of the theft, onchain monitors traced a cross-chain laundering sequence. Security firm PeckShield flagged the incident via its alert account, citing onchain watcher Specter. The attacker sourced seed funds from KuCoin, bridged the stolen assets from Solana to Ethereum, deposited 810 ETH into Tornado Cash, and routed a further 7 ETH through instant-swap service FixedFloat.
The sequence documents the CEX-seed-to-mixer playbook executed across two chains in a single session. KuCoin, a centralized exchange that operates KYC and AML controls, was the originating funding source. From there, stolen Solana-native assets were bridged to Ethereum, converting liquidity into ETH and gaining access to Ethereum-native privacy infrastructure. The larger ETH stream entered Tornado Cash, the privacy mixer whose smart contracts the U.S. Treasury’s Office of Foreign Assets Control sanctioned in August 2022. The remaining 7 ETH went to FixedFloat, a non-custodial instant-swap service that converts assets without requiring account registration.
Raydium’s Scale on Solana
Raydium is an automated market maker built on the Solana blockchain. It operates as both a concentrated liquidity AMM and a permissionless pool-creation platform, and serves as one of Solana’s primary liquidity venues. The protocol holds approximately $797 million in total value locked, per DefiLlama. Its fee revenue over the trailing 30 days totaled approximately $5.15 million, per the same source. The $1.34 million drain represents less than 0.2% of the protocol’s on-chain liquidity base, and the affected pools sit outside the current product surface.
