An attacker drained $1.34 million from five dormant liquidity pools on Raydium, Solana's flagship decentralized exchange, by exploiting validation gaps in legacy code that was never fully removed from the blockchain. The incident underscores a growing vulnerability in decentralized finance: old contracts that are officially retired but still hold real assets can become targets for attackers looking for overlooked edge cases.

What Happened in the Raydium Exploit?

On June 11, an attacker targeted Raydium's legacy AMM V3 program, which had been phased out following the deprecation of the Serum protocol in 2021. The five affected pools were Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL. The attacker bypassed validation checks by creating a new liquidity provider (LP) mint without depositing corresponding assets, then withdrew and converted the positions.

The technical flaw was straightforward but damaging: the legacy AMM V3 program failed to properly verify the LP mint address. This allowed the attacker to mint new LP tokens without the proportion checks that normally govern liquidity removal. The exploiter's Solana address ends in "Bq33QVk," and the breakdown of stolen assets included approximately $900,000 in USDC stablecoin, roughly $357,000 in SOL (Solana's native token), and $86,000 worth of RAY tokens.

Why Does Deprecated Code Still Matter?

The Raydium incident raises a fundamental question about blockchain infrastructure: what happens to code that is officially retired but never fully removed from the chain? Because smart contracts are immutable once deployed, fully removing old code that still holds funds is never straightforward. Raydium had transitioned to newer AMM versions, including V4 and V5, which utilize virtual supply mechanisms alongside stricter account verification protocols. However, the deprecation of the legacy program did not wipe its on-chain footprint.

The affected contracts still held live assets on-chain despite being phased out of Raydium's current application interface and active liquidity stack. No current users could have interacted with the deprecated pools through the platform's user interface since their phase-out, according to Raydium contributor 0xInfra. Still, the pools remained accessible to anyone with direct blockchain knowledge and the right tools.

How Did the Attacker Launder the Stolen Funds?

After stealing the assets on Solana, the attacker followed a familiar playbook used by many DeFi exploiters: bridge the funds to Ethereum and deposit them into Tornado Cash, a cryptocurrency mixer that obscures transaction trails. Blockchain investigator Specter tracked this exit path. The U.S. sanctioned Tornado Cash in 2022, and its continued use in exploit laundering gives regulators ammunition to argue for stricter oversight of DeFi protocols.

Steps to Understand DeFi Security Risks

• Legacy Contract Exposure: Protocols that transition to newer versions must audit and safely wind down old on-chain contracts that still hold value, not just remove user interface access.
• Validation Gaps: Smart contract vulnerabilities often stem from insufficient checks on critical parameters like token mints, LP addresses, and account ownership, which traditional code audits may miss.
• Laundering Pathways: Exploiters commonly bridge stolen funds across blockchains and deposit them into mixers to complicate recovery and regulatory tracking.

What Does This Mean for DeFi's Broader Security Picture?

The Raydium hack arrives at a moment when DeFi's security track record is under acute scrutiny. The sector has already lost over $750 million to hacks and exploits in 2026, driven largely by two major incidents: the approximately $292 million KelpDAO exploit and the $285 million Drift Protocol breach.

Drift Protocol lost $285 million on April 1 after a North Korean hacking group spent six months socially engineering its way into the Solana-based decentralized exchange. KelpDAO's LayerZero bridge was drained of $292 million in rsETH on April 19. Those two incidents alone caused 95 percent of April's total DeFi damage, triggering a mass exit from DeFi and ranking among the top ten hacks since 2021.

What makes the current environment particularly alarming is the widening attack surface. Neither of the two biggest exploits of 2026 involved a smart contract vulnerability in the traditional sense. Code audits, formal verification, and bug bounty programs would not have prevented Drift or KelpDAO. Instead, social engineering, compromised infrastructure, and governance weaknesses have emerged as the dominant vectors.

Adding a new dimension to the threat landscape, artificial intelligence is now playing a documented role in vulnerability discovery. Security researcher Taylor Hornby identified a critical four-year-old vulnerability in Zcash's Orchard shielded pool by running a custom auditing agent framework paired with Anthropic's Claude Opus 4.8 model, then wrote a complete working exploit in a local test environment. While the Zcash disclosure was a white-hat find with no evidence AI tools were used in the Raydium attack, it underscores the accelerating capability of AI-assisted auditing on both sides of the security equation.

Raydium moved quickly to contain the fallout. The project confirmed full compensation for all affected users will be handled directly through its treasury, covering the entire $1.34 million across all five impacted pools. Raydium's core contributors also announced a comprehensive security review of all mainnet programs to verify that no similar logic flaws exist across any active code.

Market reaction to the Raydium exploit was limited. RAY, Raydium's native token, fell about 2 percent in the 24 hours after the disclosure and roughly 13 percent over the prior week, with the token remaining far below its all-time high.

For the broader DeFi ecosystem, the incident carries implications beyond the dollar figure. Legacy contracts, abandoned pools, and residual permission settings represent a class of risk that traditional code audits do not systematically address. As protocols evolve and migrate to newer architectures, the operational burden of cleanly decommissioning old infrastructure has become a pressing security obligation. The Raydium incident is a clear reminder that "deprecated" does not always mean safe in the blockchain world.