Raydium says it’s investigating an exploit that drained older liquidity pools worth about $1.34 million. Protos reports the incident was flagged by crypto investigator “Specter” around 3pm GMT+1, with Specter claiming the funds were bridged to Ethereum and are now being laundered via Tornado Cash.
Raydium’s official account, “Infra,” responded quickly. Protos quotes Infra saying Raydium is aware of the exploit and is running a security review to determine what happened.
What the attacker reportedly did
Infra’s explanation pins the problem on Raydium’s legacy AMM V3 program, which Raydium “phased out in 2021,” according to Protos. Infra attributes the drain to a vulnerability tied to insufficient validation of the LP mint.
The key failure mode, per Infra as quoted by Protos, is simple enough to sound boring, which is why it’s dangerous. The program “did not properly verify the LP mint address.” That let an attacker create a new mint and use it as the LP token.
With that fake LP token in hand, the attacker could “bypass the intended proportion checks,” Protos reports. Infra framed it as a self-contained logic flaw, not an operator error and not an authority-level compromise.
Infra also pointed out that Raydium’s other mainnet programs avoid this specific vulnerability. Protos says those programs use a “virtual supply mechanism for proportion checks and correctly verify the LP mint along with all other relevant account information.”
How much got stolen, and which tokens
After an initial review, Infra told Protos that 150,177 RAY, 5,603 SOL, and 893,700 USDC were stolen. Protos estimates the combined value at roughly $1.34 million.
Here are the figures Infra reported:
| Asset | Amount stolen (Infra via Protos) | Notes |
|---|---|---|
| RAY | 150,177 | legacy pool drain |
| SOL | 5,603 | legacy pool drain |
| USDC | 893,700 | legacy pool drain |
Infra also said that affected users will be “fully compensated by Raydium’s treasury,” according to Protos.
Risk scope: deprecated pools, UI access, and “current users”
The part that matters for most readers is who can actually be harmed today.
Infra told Protos that “No current users of Raydium are affected by this exploit or would have been able to interact with these pools through the UI since their deprecation.” That matters because “deprecated” isn’t just a word for developers. It’s an attack surface claim.
No current users of Raydium are affected by this exploit or would have been able to interact with these pools through the UI since their deprecation.
Still, the existence of a logic flaw in a legacy program is a reminder that deprecation does not automatically mean “impossible to reach.” If a program still sits on-chain and still accepts the same types of inputs, a determined attacker can keep probing until something breaks.
Where the money went, per Specter
Protos reports that Specter claimed the attackers moved the stolen funds by bridging them to Ethereum and then using Tornado Cash for laundering. Specter also shared what they believe are the attacker addresses, including:
0x0EaBAAb9a56011c6158D4aA7f2E49A82fB34E609 4WnPebowR4HHfumvNPaDjG6Pa5Hi1jxLm6xmmBq33QVk
Protos does not confirm these claims independently. But it does establish what Raydium is up against operationally. If value crosses chains quickly, the fastest response shifts from “fix the contract” to “trace and coordinate,” while the treasury takes on the cost.
What to watch next
Infra said the issue stems from “unauthorized removal of liquidity” from the legacy AMM V3 program. Protos reports Raydium is now conducting a security review to determine what happened.
Two practical questions follow from that, and they’re where this story could grow teeth.
First, whether Raydium can prove the exploit path is strictly limited to the legacy pools that were deprecated in 2021. Infra’s “no current UI interaction” claim helps, but it’s still a claim.
Second, whether the treasury compensation is fully funded and executed without delay. Protos says Infra promised full compensation. Investors and users don’t need promises. They need settlement.
For now, the cleanest takeaway from Protos’ reporting is that the attacker didn’t need a key compromise or a privileged role. They needed a program that forgot to validate an LP mint, and then they used that oversight to route around proportion checks.