Raydium Exploited Through Deprecated Smart Contract Left Live for Five Years

Published by James Harris on

Raydium Exploited Through Deprecated Smart Contract Left Live for Five Years — Ethereum

What You Need to Know

  • Raydium lost $1.34 million when attackers exploited deprecated smart contract code holding dormant liquidity pools.
  • Attacker created fraudulent LP token with supply of one to trick legacy contract into releasing full pool balance.
  • Stolen funds bridged to Ethereum and laundered through Tornado Cash within hours of the exploit.
  • CertiK recorded 60 security incidents in May 2026 totaling $68.3 million, with code vulnerabilities causing majority of losses.

Raydium lost $1.34 million when an attacker exploited a logic flaw in smart contract code the Solana-based DEX had deprecated in 2021, generating fraudulent LP tokens to drain five liquidity pools that had been sitting dormant and inaccessible through the platform’s interface for years.

The mechanics matter here. The attacker fabricated an LP token with a supply of one, submitted a withdrawal request against the legacy AMM V3 program, and the old contract released the full pool balance because it had no way to distinguish that token from a legitimate claim. The funds were bridged to Ethereum via deBridge and most of the roughly 810 ETH landed in Tornado Cash within hours, a laundering path that has become almost procedurally standard since Tornado’s OFAC designation in 2022 failed to meaningfully deter its use. Raydium has been here before: in December 2022, a private key compromise cost the protocol $4.4 million, and that incident triggered a similar post-mortem cycle of audits and reassurances. The pattern of legacy code retaining live balances long after deprecation is a known category of risk, and this exploit is a clean example of why “deprecated” and “empty” are not synonyms.

Raydium holds $796 million in TVL and processed over $1.1 billion in DEX volume in the past week. The $1.34 million loss is noise against those numbers, but the reputational cost of a second breach in three years is harder to denominate.

The broader context is less comfortable. CertiK logged 60 confirmed security incidents in May 2026 alone, totaling $68.3 million in losses, with code vulnerabilities accounting for more than $45 million of that figure. Cumulative exploit losses through May approached $1.3 billion for the year, with bridge attacks making up $340.7 million of that total. For DeFi protocols sitting on significant TVL, the operational question is no longer whether to conduct legacy code reviews but how to explain to liquidity providers why those reviews happen reactively. Raydium’s announcement of a security review across all mainnet programs is the right response, though it arrives after the fact.

Raydium has committed to full compensation from its treasury but has not specified a timeline or distribution mechanism, which means affected liquidity providers are currently waiting on details the team has not yet disclosed.

Source: Raydium pledges to cover user losses after hacker drains $1.34M from deprecated pools (cryptopolitan.com)

Categories: News

James Harris

Hi, I’m James Harris, dad of three, professional coffee maker (not drinker, as I make it for my wife), and the unlucky guy who once lost $48 in a crypto scam. Yep, forty-eight bucks. Not life-changing money, but just enough to sting my pride. That little scam lit a fire in me: if I could get fooled, so could anyone. And that’s how DodgeTheScam.com was born. Now I spend my time turning my mistake into your advantage. I dig into scams, fake sites, and shady schemes so you don’t have to learn the hard way. I keep things simple, honest, and sometimes funny, because staying safe online doesn’t have to feel like homework. My mission? To help you dodge scams, save your hard-earned money, and maybe give you a laugh or two along the way.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

CFTC Sues Five States to Defend Prediction Markets as One Commissioner Runs the Agency — Bitcoin
News

CFTC Sues Five States to Defend Prediction Markets as One Commissioner Runs the Agency

The CFTC released its first formal framework for regulating prediction markets, proposing a three-step test to distinguish permissible contracts from prohibited ones. The move intensifies a jurisdictional battle over which level of government defines financial contracts, with the agency suing five states to block gambling law restrictions.

Bitcoin Faces Headwind as Warsh Takes Fed Chair With Hawkish Record — Bitcoin
News

Bitcoin Faces Headwind as Warsh Takes Fed Chair With Hawkish Record

U.S. consumer prices jumped 4.2% year-over-year through May, the largest increase since 2023, arriving just before the Federal Reserve's first meeting under new chair Kevin Warsh. Bitcoin's flat price during this macro shock signals absent catalysts rather than market neutrality, as rate expectations now look less accommodating for risk assets than they have in over a year.

SpaceX IPO Priced at 103x Sales, Triple Palantir's Valuation Multiple — Regulation
News

SpaceX IPO Priced at 103x Sales, Triple Palantir’s Valuation Multiple

Sen. Elizabeth Warren formally asked the SEC to delay SpaceX's IPO, citing a $1.75 trillion valuation that's roughly 103 times trailing sales—40% richer than Palantir's already expensive multiple. Her concern centers on index fund mechanics that could force passive retirement investors to become compelled buyers at any opening price, regardless of fundamental value.