Raydium confirmed Monday that an attacker drained roughly $1.34 million from its legacy AMM V3 program, a deprecated contract the decentralized exchange phased out in 2021. Current users of the platform are unaffected by the exploit, and the protocol has pledged to fully compensate the stolen funds from its treasury. The disclosure came from Raydium core contributor Infra.
The Compromised Contract
The exploited program was an old automated market maker version that Raydium stopped using nearly three years ago. Because the contract was no longer active for new trades or liquidity pools, the damage was contained to the funds sitting in that specific program. The attacker targeted a piece of infrastructure that the team had already abandoned, not the live AMM system.
Raydium's current AMM contracts — V4 and V5 — were not touched. The company has not explained how the attacker managed to access a deprecated program or whether any security vulnerability in the legacy code was already known.
Who Was Affected
Exactly zero current Raydium users lost money. The exploit only hit the old contract's remaining balance, which the protocol had kept on ice. No user wallets, active pools, or ongoing trades were compromised. For anyone trading on Raydium today, the incident has no practical impact.
The company stressed that customer funds are safe and that the drain does not affect its current operations. Still, the news raises questions about why a deprecated contract still held over a million dollars in the first place.
Compensation Plan
Raydium said it will make victims whole from its protocol treasury. That treasury, funded by trading fees and past revenue, should cover the $1.34 million loss without pinching the company's runway. The pledge covers all funds taken, though no timeline for restitution has been announced.
The move is standard in DeFi — many projects have reimbursed users after hacks, especially when the exploit targeted outdated code rather than a live product. Raydium's treasury appears healthy enough to absorb the hit.
Disclosure and Next Steps
Core contributor Infra broke the news, and the team has not held a public Q&A or call since. The company hasn't said whether it will pursue legal action or try to trace the attacker. It also hasn't detailed any changes to how it manages legacy contracts — like whether it now plans to sweep remaining funds out of old programs more aggressively.
The broader DeFi community will be watching to see if this incident prompts other protocols to audit their own deprecated contracts for stray balances. For now, Raydium users can keep trading. The question is how many other old, forgotten programs still hold money worth stealing.
