The largest decentralized exchange on Solana spent the week explaining a loss that, by its own account, never touched a single active user position. The drained funds came entirely from code Raydium had left for dead in 2021.
What Was Drained — and from Which Pools
Raydium reportedly lost roughly $1.34 million on June 10, 2026, when an attacker drained five deprecated liquidity pools tied to its retired AMM V3 program . According to the project's cited initial review, the haul totaled 150,177 RAY, 5,603 SOL, and 893,700 USDC . No active pools were affected.
Quick Answer: An attacker reportedly drained about $1.34M — 150,177 RAY, 5,603 SOL, and 893,700 USDC — from five Serum-era pools Raydium retired in 2021. Current CLMM and AMM V4 positions were untouched. As of publication the figure is widely reported across crypto media but not yet confirmed in primary on-chain databases.
| Drained asset | Reported amount |
|---|---|
| RAY | 150,177 |
| SOL | 5,603 |
| USDC | 893,700 |
| Combined value | ~$1.34 million |
All five pools — Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL — were Serum-era relics on the legacy AMM V3 program, phased out in 2021 and no longer reachable through the current interface . Raydium says its modern CLMM and AMM V4 infrastructure was untouched, leaving its $777.15M TVL and $148.42M daily DEX volume routed through unaffected programs .
One caveat belongs up front. As of publication, the $1.34M figure rests on secondary crypto-media reporting . DefiLlama's hack database and Raydium's own changelog did not yet record a June 2026 exploit . Primary confirmation — a transaction hash and the affected program ID — remains outstanding.
How Dead Code Let the Attacker Bypass Withdrawal Controls
The reported root cause is narrow: a logic flaw in the liquidity-provider (LP) mint validation inside Raydium's retired AMM V3 program . The program did not properly check the LP mint address, so an attacker could supply a fraudulent mint and slip past the proportionality controls that govern how underlying assets are accounted for and withdrawn.
In Raydium's cited explanation, "the program did not properly verify the LP mint address, [so] an attacker was able to create a new mint and use it as the LP token, bypassing the intended proportion checks" . Substituting that counterfeit mint let the attacker withdraw far more than any legitimate position should permit.
Crucially, this was reportedly confined to dead code. Raydium's internal review is said to have ruled out admin-key compromise, oracle manipulation, and program-authority issues, placing the bug squarely in the deprecated AMM V3 path rather than any live contract . That distinction is what kept the blast radius small.
The failure mode matches a documented Solana risk class. A March 2026 symbolic-execution study examined 8,714 bytecode-only Solana contracts and flagged potential bugs in 467 of them, with missing key/mint verification, missing signer checks, and arbitrary cross-program invocations cited as recurring failure modes . Missing mint verification is precisely the gap reported here.
The timeline reinforces the picture. The breach was reportedly first flagged around 3 PM GMT+1 on June 10, 2026, by an on-chain investigator known as "Specter," with security firm PeckShield independently tracing the attacker's fund flows shortly after . Independent tracing matters because it provides an evidence trail ahead of any official protocol postmortem.
The Money Trail: KuCoin Funding, a Solana-to-Ethereum Bridge, and 810 ETH into Tornado Cash
The attacker's funds followed a familiar laundering route. Analysts reportedly traced the wallet's origin to the KuCoin exchange, where it was funded before the attack, then watched the stolen value bridge from Solana to Ethereum and disappear into a privacy mixer . PeckShield and other on-chain investigators mapped the flow shortly after the breach surfaced.
The reported path breaks down as follows:
- Funding: the operating wallet was initially financed via KuCoin .
- Bridging: proceeds moved from Solana to Ethereum after the withdrawal .
- Mixing: roughly 810 ETH was routed through Tornado Cash, with a smaller tranche of about 7 ETH sent to the FixedFloat swap service .
This KuCoin-to-Tornado-Cash pipeline is a recurring obfuscation pattern in DeFi exploits, not a novel maneuver. That predictability cuts both ways. Mixing complicates tracing, but the centralized funding source matters: KuCoin's know-your-customer (KYC) records could give investigators an attribution anchor, since the wallet touched a regulated venue before the theft.
For affected users, the financial outcome is more direct. Raydium reportedly pledged a full refund to impacted liquidity providers paid from its treasury, rather than socializing the loss across current users or active pool participants . Framed this way, the protocol absorbs the roughly $1.34 million hit at the treasury level, leaving holders in its modern CLMM and newer AMM pools untouched .
What to Watch: On-Chain Confirmation, Treasury Payout Timeline, and the Legacy Code Audit Scope
The most important signal now is primary confirmation. As of the research window, no official Raydium postmortem had named the affected program ID, pool accounts, vault addresses, or a transaction hash, and DefiLlama's Raydium page still listed only one historical hack . The latest changelog entry remained a 2026-05-18 CLMM update, not an emergency patch . Database lag after a breaking incident is normal, so treat the absence as a documentation gap, not disproof — but the $1.34M figure stays reported-but-unconfirmed until on-chain evidence is indexed.
Watch these four markers over the coming days:
- A named transaction trail. Raydium's own guidance says a credible exploit report should name a program ID, pool account, vault, transaction hash, and root-cause class . Until those appear, the claim rests on secondary reporting.
- Audit scope and timeline. Raydium reportedly committed to reviewing all mainnet programs for LP mint validation gaps like the AMM V3 flaw . Neither scope nor timeline was disclosed; the breadth of undocumented legacy code is the key residual risk.
- The Immunefi bounty. Raydium's program (PoC required, maximum $505,000) was last updated June 10, 2026 — the same day as the reported exploit . That edit could be routine; a new critical-severity submission would be more telling.
- Treasury wallet movement. A confirmed, on-chain refund from treasury would prove protocol-absorbed loss in practice.
That payout precedent is worth weighing. Raydium's earlier December 2022 incident — a compromised pool-owner key, not a program bug — was answered with multisig migration and added operational controls . As Raydium's documentation puts it, "a mismatched program ID is one of the easiest ways to lose funds on Solana," — Raydium, program-addresses reference (source: Raydium Docs). The takeaway: the dollar figure is small and contained, but it is not yet verified. Confirmation, not the headline number, is what traders should track.
Frequently asked questions
Were active Raydium CLMM or AMM V4 liquidity positions affected by the June 2026 exploit?
No. According to Raydium's cited initial review, only five deprecated AMM V3 pools were drained — Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL — all Serum-era pools retired since 2021 and no longer reachable through the current interface . Current Concentrated Liquidity Market Maker (CLMM) and AMM V4 positions were reportedly untouched, which is why the loss stayed near $1.34 million .
What is an LP mint validation flaw and why is it dangerous on Solana?
An LP mint validation flaw is a logic bug where the program fails to confirm that a liquidity-provider token's mint address is legitimate. Raydium reportedly stated the program "did not properly verify the LP mint address," letting an attacker create a fake mint, present it as the LP token, and bypass the proportion checks governing withdrawals . On Solana, missing key and mint checks are a documented recurring vulnerability class; a March 2026 study of 8,714 contracts flagged potential bugs in 467 .
Will affected liquidity providers be refunded?
Raydium reportedly committed to a full refund sourced from its own treasury, meaning the loss would be absorbed at the protocol level rather than passed to current users . No payout timeline was disclosed at publication. The protocol also announced a security review of all mainnet programs to find other legacy code paths with similar validation gaps .
How is this different from the December 2022 Raydium hack?
It is a different attack class entirely. The December 2022 incident stemmed from a compromised pool-owner private key — an operational key-management failure that Raydium resolved with a multisig migration and added operational controls . The June 2026 exploit is instead a program-logic bug in deprecated AMM V3 code, and Raydium's review reportedly ruled out admin-key compromise, oracle manipulation, and program-authority issues .
Why hasn't Raydium's official documentation or DefiLlama confirmed the exploit yet?
Database and documentation lag is normal in the hours after a breaking DeFi incident. As of the research window, the latest changelog entry was a 2026-05-18 CLMM update rather than an emergency patch , and DefiLlama's Raydium page still listed only one historical hack . Primary confirmation typically requires a postmortem naming transaction hashes and program IDs, so the $1.34M figure should be treated as reported-but-unconfirmed until those sources update.
