Raydium Contributor Says Legacy AMM V3 Pools Were Exploited, Treasury to Cover Losses

Raydium core contributor InfraRAY said the team has confirmed an attack on a legacy AMM V3 program that Raydium stopped using in 2021, in which an attacker removed some liquidity without authorization. According to Odaily, InfraRAY said the incident does not affect current Raydium users, and the related pools have been inaccessible through Raydium’s official UI since they were discontinued; Raydium’s SDK and DApp also do not support operations on the legacy AMM V3 mainnet pools.

InfraRAY said five pools were affected: Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL. Preliminary estimates put the stolen assets at about 150,177 RAY, 5,603 SOL, and 893,700 USDC, with total losses estimated at about $1.34 million, which InfraRAY said will be fully reimbursed by the treasury.

InfraRAY said the investigation found the vulnerability stemmed from insufficient verification of the LP token mint address. The attacker allegedly created a new LP token and impersonated a legitimate LP token to bypass the protocol’s ratio-check mechanism and withdraw funds.

InfraRAY said the incident was an isolated logic flaw rather than a private key leak or a permissions breach, and that there is no risk of the issue spreading. All current Raydium mainnet programs were not affected, InfraRAY added.