Raydium confirms $1.34M drain from deprecated AMM V3, promises full treasury compensation

Raydium confirmed a $1.34 million drain tied to its legacy AMM V3 contract, a deprecated program phased out in 2021. In a security incident like this, the headline detail is the plumbing. The attacker did not hit Raydium’s current trading flow. They targeted an old contract that still held value.

What Raydium says happened

According to The Defiant, Raydium reported that an attacker drained approximately $1.34 million from its “legacy AMM V3 program.” Raydium also said the contract was deprecated and that it was phased out in 2021.

Two other points matter for users, not just forensics. Raydium said current users were unaffected. It also pledged that full compensation would come from the protocol treasury.

The Defiant adds that Raydium core contributor Infra disclosed the details. The implication is clear. This was not an emergency patch to the active system. It was a withdrawal from a “dead” piece of code that still had exposure.

Where risk can hide in “deprecated” code

A deprecated AMM contract is supposed to sit quietly after migrations. In practice, “quiet” depends on whether anything still points to it, or whether liquidity and balances remain reachable. If assets remain associated with legacy routes, an attacker can sweep them even when the UI and mainstream liquidity have moved on.

That is the central risk in legacy DeFi components. “Deprecated” often means “not the default.” It does not always mean “no longer valuable” or “cannot be accessed in any way.” Raydium’s own statement to The Defiant frames the incident as limited in scope, with current users unaffected.

But it also serves as a reminder that lifecycle management is part of security. Old contracts can stay in the attack surface longer than teams expect, especially when incentives, routers, or integrations keep reference paths alive.

Compensation from the Raydium treasury

Raydium promised full compensation from its protocol treasury, The Defiant reports. That matters because it tells you who absorbs the loss. It is not simply a “users are covered by insurance” statement with no mechanism. The stated plan is direct reimbursement.

Still, compensation is not the same thing as prevention. Treasury-funded refunds can restore fairness for affected parties, but they do not change the underlying lesson. If deprecated contracts can be drained, the next question is what tooling and monitoring prevented this from being noticed earlier.

The “inactive” contract question

The Defiant’s framing is that AMM V3 was deprecated and phased out in 2021. So why could it be drained now? The article excerpt does not spell out the exact exploit path, only that a $1.34 million drain occurred and that Raydium confirmed it.

For readers, the practical next step is to watch for Raydium’s follow-up disclosure beyond confirmation and compensation. In these incidents, the most actionable information is usually technical. What permission or entry point let the attacker move funds. Whether it was a token approval. A pool configuration. A router behavior. Or something else in the legacy contract’s state.

What to watch next

Raydium says current users are unaffected and full compensation is coming, as reported by The Defiant. That reduces the immediate damage radius.

The longer tail is operational. Teams typically respond to drains like this by improving deprecation practices, adding stronger kill switches for legacy modules, and tightening monitoring around old contracts that still contain balances.

Until Raydium details the exact mechanics, the best you can take from this confirmation is structural. Legacy contracts can still bleed value. Even when the protocol is “deprecated,” the chain does not care what a team calls it.