Comprehensive technical details have emerged revealing exactly how an attacker managed to bypass security parameters to drain $1.34 million from the Solana automated market maker (AMM) Raydium.
A detailed post-incident vulnerability analysis released by blockchain security firm GoPlus Security confirms that the hacker did not compromise any administrative private keys. Instead, they successfully weaponized a critical verification flaw inside Raydium’s legacy AMM V3 smart contracts to manipulate liquidity accounting.
GoPlus said the attacker created a custom SPL token and manipulated the protocol’s liquidity withdrawal process, allowing funds to be drained from several inactive pools before being transferred to other blockchain networks.
Old contracts became the weakest link
GoPlus Security said the exploit likely stemmed from inadequate validation of liquidity provider (LP) tokens within Raydium’s legacy liquidity removal process. According to the firm, the attacker created counterfeit LP tokens and used them to bypass verification checks, allowing assets to be withdrawn from vulnerable pools.
After the funds were extracted, blockchain data showed the assets were bridged from Solana to Ethereum through deBridge and subsequently exchanged for Ether. The proceeds were later sent to Tornado Cash, a privacy protocol often used to obscure the movement of digital assets.
On the other hand,Raydium said earlier the attack was limited to five deprecated liquidity pools, including legacy trading pairs involving RAY, SOL, USDC, USDT, ETH, and SRM. In total, the attacker withdrew roughly 150,177 RAY tokens, 5,603 SOL, and 893,700 USDC.
The protocol emphasized that no active users were affected. According to Raydium, the compromised pools had been retired years ago and were no longer accessible through the platform’s official interface.
Security lessons echo across DeFi
Raydium said the exploit resulted from a logic flaw in its legacy liquidity pool program and stressed that no private keys were compromised. The protocol added that the vulnerability did not affect its current mainnet infrastructure, which uses more robust validation mechanisms.
The team said affected liquidity providers would be fully reimbursed from the project’s treasury. Raydium also launched a broader review of its active programs to identify and address any similar vulnerabilities.
The incident also drew attention from market observers such as crypto commentator Master of Crypto, who argued that older smart contracts can pose significant risks even after they are retired. In a post on X, the analyst described the exploit as a reminder that dormant code can remain vulnerable years after it falls out of active use.
Despite the breach, Raydium remains one of the largest decentralized trading platforms on Solana. According to DeFiLlama data, the protocol holds about $795.5 million in total value locked and has processed roughly $4.42 billion in trading volume over the past month.
The exploit adds to a growing list of security incidents across the decentralized finance sector, where attackers have continued to target overlooked vulnerabilities in older smart contracts. While the affected Raydium pools had long been inactive, the incident shows the challenges projects face in securing legacy code that remains accessible on public blockchains.
Also Read: Chinese Intel Ring Blown: DOJ Seizes 13 Domains Using Crypto to Lure US Staff
