On June 10, an attacker drained $1.34 million from Raydium, one of Solana’s largest decentralized exchanges. The exploit touched no active pools, required no key compromise, and broke no code the Raydium team was actively maintaining.
It targeted five liquidity pools from Raydium’s legacy AMM V3 program, a smart contract Raydium phased out in 2021 and removed from its interface since. Those pools sat dormant on-chain for five years. They still held funds. That was enough.
How the Attack Actually Worked
The exploit relied on a fake LP token mint that slipped past validation checks in the retired code. Active pools, the CLMM, and newer AMM versions were untouched.
The attacker minted a fake LP token with a supply of just 1, bypassed the proportion checks, and drained the entire pools. The vulnerability was not in Raydium’s current infrastructure. It was in code the team had considered retired.
The five affected pools were Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL, all of which had been deprecated after the Serum protocol was sunset following the FTX collapse. The attacker walked away with approximately $900,000 in USDC, $357,000 in SOL, and $86,000 in RAY tokens. PeckShield traced part of the stolen crypto through KuCoin and into Tornado Cash.
Raydium confirmed it will cover all losses from its protocol treasury. No current users were affected.
Why Reimbursement Is Not the Full Story
Mitchell Amador, CEO of Immunefi, the leading onchain security platform, provided DailyCoinPost with exclusive commentary on the exploit and what it signals about DeFi’s evolving attack surface.
“The Raydium exploit is a reminder that DeFi security is not just about protecting the newest version of a protocol. Legacy programs, inactive pools, and deprecated contracts can remain part of the live attack surface for years if they still hold value or remain callable onchain. Attackers do not care whether a team considers something retired. If there is residual liquidity, weak validation logic, or an overlooked pathway to move funds, it remains a target.”
Amador acknowledged Raydium’s response but framed reimbursement as a partial answer. “Raydium’s decision to cover affected users from its treasury is the right response from a user-protection standpoint. But the broader trend is that DeFi security is improving, and the nature of exploits is changing. Many of the simple, repeatable attack patterns have been reduced through better audits, bug bounty programs, and more mature security practices. That means newer infrastructure might be relatively safe from those vulnerabilities but legacy infrastructure is not.”
The conclusion from Immunefi is direct: “The lesson for teams is that security has to cover the full lifecycle of a protocol: launch, upgrades, migrations, deprecations, and monitoring of anything that remains live. A retired contract with funds in it is still production infrastructure from an attacker’s perspective.”
The Pattern Behind the Exploit
This is not Raydium’s first security incident. The December 2022 Raydium hack, a roughly $4.4 million loss caused by a private key theft, had pushed the team to harden operational security and migrate to audited contracts. They did exactly that. The current infrastructure was not touched. The attack came from a direction they had stopped watching.
More than $84 million was lost across dozens of crypto hacking incidents during May 2026 alone, demonstrating that both new and legacy protocols remain attractive targets. The industry has gotten meaningfully better at securing the code it is actively building. It has not gotten better at securing the code it forgot about.
Because smart contracts are immutable, fully removing old code that still holds funds is never straightforward. A deprecated contract is not deleted. It sits on-chain, callable by anyone who knows the address, until someone explicitly migrates or burns the remaining funds. If that step is skipped, the contract remains part of the attack surface indefinitely.
The Raydium AMM V3 was phased out in 2021. It sat on Solana’s blockchain for five years with residual liquidity. On June 10, someone finally remembered it was there.
What Teams Should Take From This
Amador’s framework for Immunefi’s clients applies beyond Raydium. Security has to cover the full protocol lifecycle, not just the current version. Every migration leaves a trail of old contracts. Every deprecated pool that still holds value is a potential target. The audit that covered the launch does not cover the code that was retired two years later.
The treasury backstop that makes this a contained incident for Raydium’s users does not exist at every protocol. US authorities sanctioned Tornado Cash in 2022, and its continued use in exploit laundering gives regulators ammunition to argue for stricter oversight of DeFi protocols. The reimbursement covers the users. It does not address the structural question of how many other deprecated contracts across Solana and other chains are sitting in the same position the Raydium AMM V3 was in on June 9.
Commentary provided exclusively to DailyCoinPost by Immunefi.
