TLDR: Raydium’s Legacy AMM V3 lost $1.34M via an LP mint validation flaw in deprecated pools. Attacker bypassed proportion checks by creating a fake LP mint; no key compromise occurred. Five
Raydium confirmed an exploit targeting its deprecated Legacy AMM V3 program, resulting in approximately $1.34 million in unauthorized liquidity removals.
The attack exploited an LP mint validation flaw that allowed an attacker to bypass proportion checks. Only inactive Legacy AMM V3 pools were affected.
Current mainnet programs, the SDK, and the DApp remain fully operational and unaffected.
The vulnerability originated from insufficient validation of the LP mint address within the Legacy AMM V3 program. Because the program failed to properly verify the LP mint, the attacker created a new mint and used it as the LP token.
This effectively bypassed the proportion checks that were meant to govern liquidity removal. The flaw was entirely self-contained and did not involve any key compromise or authority-level issue.
Five pools were affected in the attack. These included Sollet USDT–RAY, Sollet ETH–RAY, SRM–RAY, USDC–RAY, and RAY–SOL.
The exploiter’s wallet address has been identified as 4WnPebowR4HHfumvNPaDjG6Pa5Hi1jxLm6xmmBq33QVk. Assets drained include approximately 150,177 RAY, 5,603 SOL, and 893,700 USDC.
Legacy AMM V3 was originally built to use deposited funds for placing orders on the Serum order book. It did not offer swap functionality.
Following Serum’s deprecation, liquidity in these pools remained idle. Proportion checks in this program relied on LP token supply rather than the virtual supply mechanism used in current programs.
Raydium’s team confirmed the exploit carries no propagation risk. Since the flaw was a logic error rather than a systemic vulnerability, it does not affect other programs.
Raydium is aware of an exploit involving unauthorized removal of liquidity from its legacy AMM V3 program which was previously phased out in 2021.
No current users of Raydium are affected by this exploit or would have been able to interact with these pools through the UI since…
— Infra | Raydium (@0xINFRA) June 10, 2026
No current users could have interacted with these deprecated pools through the UI since their phase-out in 2021.
Raydium moved quickly to address the situation following the exploit. The project confirmed that full compensation for affected users will be handled directly through its treasury. This commitment covers the entire $1.34 million in drained assets across all five impacted pools.
Raydium’s core contributors announced a comprehensive security review of all mainnet programs. The goal is to verify that no similar logic flaws exist across any active code.
Current programs already use a virtual supply mechanism for proportion checks and properly verify LP mint addresses and all relevant account data.
The team also clarified the architectural difference that protected current programs. Unlike Legacy AMM V3, all active Raydium mainnet programs correctly validate the LP mint along with other account information. This prevents the class of vulnerability that was exploited in the deprecated program.
Raydium stated that neither the SDK nor the DApp supports mainnet interactions with Legacy AMM V3 pools. As a result, current users were never exposed to risk.
The project’s transparency in publishing the exploiter’s address and affected pool details reflects its broader commitment to community trust.
The post Raydium Legacy AMM V3 Exploited for $1.34M via LP Mint Flaw appeared first on Blockonomi.
