Raydium Confirms $1.34M Drain on Deprecated AMM V3, Pledges Treasury Compensation - "The Defiant"

Solana DEX Raydium confirmed Wednesday that an attacker drained approximately $1.34 million from its legacy AMM V3 program, a deprecated contract phased out in 2021, with current users unaffected and full compensation coming from the protocol treasury.

Raydium core contributor Infra disclosed the breakdown on X: the attacker took roughly 150,177 RAY, 5,603 SOL, and 893,700 USDC across five legacy pools (Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, RAY-SOL). The exploiter's address, `4WnPebowR4HHfumvNPaDjG6Pa5Hi1jxLm6xmmBq33QVk`, was the sole entry point. The protocol said no current users could have reached the affected pools through the UI since the contract's deprecation, and that current Raydium programs are unaffected.

The vulnerability was a self-contained logic flaw in the deprecated AMM V3 program, not a key compromise or authority-level issue, according to Raydium. The contract did not properly verify the LP mint address, allowing the attacker to create a new mint and use it as the LP token, bypassing the program's proportion checks. The contract had previously been used only to place orders on the now-defunct Serum order book, and its associated liquidity had remained idle following Serum's collapse.