Raydium lost roughly $1.3 million Wednesday in an exploit that hit five legacy liquidity pools on Solana — pools that had been retired but still held dormant code. The attack, flagged by blockchain security firm PeckShield and on-chain investigator Specter, didn't touch any active user funds. But it's a stark reminder that old smart contracts can stay vulnerable long after they're turned off.
How the exploit worked
The attacker exploited a validation flaw in pools tied to Raydium's early automated market maker (AMM) design. By using a fake mint address, they tricked the contract into withdrawing liquidity undetected. The stolen haul: roughly 150,177 RAY, 5,603 SOL, and 893,700 USDC. The break-in only affected dormant code — Raydium's team confirmed no current users or active pools were involved.
The attacker's trail
Initial funding came from KuCoin. From there, the attacker bridged the stolen assets from Solana to Ethereum, then deposited 810 ETH into Tornado Cash and another 7 ETH into FixedFloat. Tornado Cash is no longer under U.S. sanctions — the Treasury delisted it in March 2025 — but the mixer still offers privacy that makes tracing difficult.
Raydium's response
The protocol's treasury will fully cover the losses. For the broader user base, it's business as usual. The team stressed that the exploit only hit retired AMM code, not the active pools most traders use. Still, the timing isn't great: SOL slipped nearly 2% in the hours after the news, to about $63.88, and RAY dropped less than 1%, trading near $0.57.
A déjà vu moment
This isn't Raydium's first rodeo. In December 2022, a similar exploit — then an admin key compromise — drained active pools. The protocol compensated liquidity providers through a governance vote, using buyback fees and vested team tokens. This time the damage is smaller, but the root cause is different: not a key leak, but a validation hole in legacy code. The incident underscores how dormant contracts can remain a target long after retirement. Raydium says it's reviewing the old AMM codebase, though no timeline for a patch has been shared yet.
