Raydium DEX’s AMM Program Exploited For $1.34 Million — Here’s What Went Wrong

Raydium, a Solana-based DEX, suffered a $1.34 million exploit on its deprecated AMM V3 program due to insufficient validation of LP mint addresses, allowing an attacker to drain approximately 150,000 RAY, 5,600 SOL, and 900,000 USDC. The stolen funds were subsequently laundered across Solana and Ethereum through KuCoin and mixing services including Tornado Cash.

The Raydium exploit exposes a critical vulnerability in legacy smart contracts that persist on blockchain networks despite being officially deprecated. Although the affected AMM V3 program was phased out in 2021 and removed from Raydium's user interface, its continued presence on-chain created an attack surface that sophisticated threat actors could exploit. The attacker's ability to circumvent LP mint validation controls demonstrates how improper input verification in smart contracts can invalidate essential security mechanisms designed to protect liquidity pools.

This incident reflects a broader pattern in DeFi security challenges where older code versions remain accessible on immutable blockchain networks. Developers cannot simply remove legacy programs; instead, they must ensure that deprecated contracts are sufficiently secured or that external systems prevent user interaction. Raydium's reliance on UI-based access control rather than contract-level protections proved insufficient against determined attackers with direct blockchain access.

The rapid movement of stolen funds across multiple blockchains and through mixing protocols demonstrates the growing sophistication of cryptocurrency money laundering techniques. KuCoin's role as the initial funding source raises questions about transaction monitoring, though exchange compliance teams face inherent limitations in tracking cross-chain flows.

Raydium's assurance that current mainnet programs remain unaffected provides limited reassurance given the existence of this vulnerability. The firm's ongoing security review indicates reactive rather than proactive vulnerability management. Industry participants should recognize that deprecated systems require active security maintenance, not merely removal from user-facing interfaces.

• →Legacy smart contracts pose persistent security risks even after official deprecation if they remain executable on-chain
• →The $1.34 million exploit stemmed from improper LP mint validation that allowed attackers to bypass proportion checks in liquidity pools
• →Stolen funds were traced moving through KuCoin, bridged to Ethereum, and partially sent to Tornado Cash for laundering
• →Raydium's current programs remain unaffected, but the incident highlights gaps between UI-based access controls and contract-level security
• →The exploit demonstrates sophisticated attackers can directly interact with blockchain contracts regardless of platform-level deprecation