Raydium has confirmed an exploit targeting its legacy AMM V3 program, a system that was phased out back in 2021 and had been sitting dormant ever since. The attacker pulled roughly $1.34 million in assets from five liquidity pools. No one using Raydium today was affected.

The protocol said full compensation will come from its treasury.

According to @0xINFRA, on X:

“Raydium is aware of an exploit involving unauthorized removal of liquidity from its legacy AMM V3 program which was previously phased out in 2021. No current users of Raydium are affected by this exploit or would have been able to interact with these pools through the UI since their deprecation.”

The exploiter’s wallet address is 4WnPebowR4HHfumvNPaDjG6Pa5Hi1jxLm6xmmBq33QVk.

What the Attacker Actually Stole

Five pools got hit. Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL. Across those five, the attacker walked away with approximately 150,177 RAY, 5,603 SOL, and 893,700 USDC. Combined market value at the time: around $1.34 million.

That figure is not small, but the scope is contained. Raydium’s SDK and DAPP never supported mainnet interactions with these legacy V3 pools after deprecation, so no retail user could have accidentally exposed funds through the normal interface.

The PDF of affected LP positions published alongside the disclosure shows dozens of individual token accounts with fractional balances, some under a tenth of a RAY. The attacker systematically swept all of them.

How a Dead Program Got Exploited

Legacy AMM V3 had one job after Serum was deprecated: nothing. The program originally placed orders on the Serum order book but offered no swap functionality. Once Serum shut down, the associated liquidity sat idle inside the contract.

The flaw was in how that old program checked LP token ownership. It did not properly verify the LP mint address. That gap let the attacker create a fresh mint, pass it off as the legitimate LP token, and bypass the proportion checks meant to guard withdrawals.

Every current Raydium program uses a virtual supply method for those same proportion checks and verifies LP mint addresses correctly. The bug was isolated to the legacy V3 code.

@0xINFRA confirmed on X:

“The vulnerability stemmed from insufficient validation of the LP mint. Because the program did not properly verify the LP mint address, an attacker was able to create a new mint and use it as the LP token, bypassing the intended proportion checks.”

Worth noting: this was not a key compromise or an authority-level breach. It was a self-contained logic flaw. That distinction matters because it means the vulnerability could not spread to other programs.

Treasury Pays, Security Review Underway

Raydium’s core contributors are now conducting a security review across all mainnet programs. The team was clear that this is precautionary, since the exploit flaw does not carry over to current infrastructure.

The treasury compensation commitment follows a pattern Raydium established after the December 2022 hack, when an attacker used a private key compromise to drain roughly $4.4 million from live pools. That incident was structurally different and far more damaging to active users. This one hit only abandoned liquidity that had been locked in a zombie program for four years.

For Solana-based DeFi users watching from markets like East Africa, where RAY is traded on regional peer-to-peer platforms alongside SOL, the takeaway is that current holdings are not at risk. The protocol’s active programs were not touched.