Five liquidity pools nobody was supposed to be using anymore got drained for roughly $1.34 million on Wednesday. That's the short version of the Raydium exploit. The longer version is more interesting, because the attacker didn't break into the busy, current part of the Solana decentralized exchange. They went after the attic.
Raydium, one of the larger automated market makers on Solana, confirmed the loss came from deprecated pools tied to an older version of its AMM program. Deprecated is the operative word. These weren't the pools moving most of the platform's volume. They were leftovers from a previous design: still on-chain, still holding funds, still technically reachable. And reachable, it turns out, is all an attacker needs.
What actually broke
The damage was contained to five pools running on legacy AMM code, according to Decrypt's reporting. Current pools (the ones most traders touch day to day) weren't hit in the same way. That distinction matters for users trying to figure out whether their own positions are at risk, and it's the first thing Raydium emphasized.
Here's the awkward truth about smart contracts, though. Once code is deployed to a chain like Solana, it doesn't just vanish because the team moved on to a newer version. The old program keeps sitting there. If liquidity is still parked in pools governed by that program, and the program has a flaw, the flaw is live. Deprecating something in your documentation and removing it from the chain are two very different acts.
The $1.34 million figure puts this firmly in the mid-sized category of DeFi incidents. It's not a nine-figure bridge collapse. It's not pocket change, either. For context, RAY was trading around $0.58 at the time, so the dollar loss is real money pulled out of pools that, frankly, probably should have been wound down and emptied long ago.
The cost of leaving the lights on
This is the recurring lesson, and protocols keep relearning it. Migrating users to a new contract is the easy part. Getting every last bit of liquidity out of the old one, and ideally killing the old program's ability to hold or move funds, is the tedious part teams put off. The Raydium exploit is a clean example of what that procrastination costs.
There's no public indication, at least not in the initial reporting, that the newer AMM code shared the same vulnerability. So this reads less like a fundamental design failure and more like an unsupervised legacy system that should have been decommissioned. Which, in security terms, is its own kind of failure.
A pattern, not a one-off
What makes this worth more than a single incident report is the company it keeps. The Raydium exploit lands amid a broader uptick in DeFi attacks, and in the discovery of serious vulnerabilities across protocols. Some of that activity, per Decrypt, is being accelerated by AI tooling. That's the part that should make every protocol team a little uneasy.
Think about what cheap, capable code analysis does to the economics of attacking DeFi. Auditing a smart contract for exploitable logic used to require a scarce skill set and real hours. If automated tools can scan deployed bytecode at scale, flagging the deprecated, the forgotten, the slightly-off, then the attack surface isn't just the code teams are actively defending. It's everything they've ever shipped and walked away from.
That changes the math. A pool nobody thinks about is exactly the kind of target that rewards patient, automated scanning: low attention from the defenders, real funds on the line, a vulnerability sitting in plain view on a public ledger.
Why old code is the soft target
Defenders concentrate on what's active. Bug bounties, monitoring, incident response, audits, all of it tends to follow the current contracts and the big TVL. The deprecated stuff falls off the dashboard. Nobody's watching the old pools at 3 a.m., because nobody's supposed to be in them.
An attacker doesn't share that bias. To them, a vulnerable pool is a vulnerable pool, current or not, and the abandoned ones come with the bonus of slower detection. The Raydium case fits the template almost exactly: legacy program, residual liquidity, mid-seven-figure haul.
The broader DeFi sector has spent years building incident playbooks, white-hat negotiation channels, and treasury reserves to cover exactly this kind of thing. What it's been slower to build is discipline around shutting down old infrastructure cleanly. Deployment is celebrated. Decommissioning is paperwork.
What's worth watching next
A few things will tell us how serious this gets.
First, whether Raydium can or will make affected liquidity providers whole. Mid-sized protocols sometimes cover losses from a treasury or insurance fund to protect their reputation, and how Raydium handles the $1.34 million shortfall will say a lot about its posture toward users who got caught holding positions in retired pools.
Second, the post-mortem. The useful detail isn't the dollar figure. It's the specific flaw in the old AMM code, and exactly how the attacker reached it. If Raydium publishes a thorough breakdown, other Solana projects running on inherited or forked code can check their own attics before someone else does. If the writeup stays vague, that's a different signal.
Third, and this is the one with legs beyond a single protocol: the AI angle. If automated tooling really is widening the funnel of discoverable vulnerabilities, then every team carrying deprecated contracts is sitting on a clock it can't see. The defensive response would be obvious (comprehensive audits of legacy deployments, aggressive cleanup of abandoned pools) but obvious and done are not the same thing.
For now, the practical takeaway for anyone with funds on Solana DEXes is unglamorous. Check whether your liquidity sits in a current pool or an older, deprecated one. The newer contracts weren't the problem here. The forgotten ones were, as ever.
The Raydium exploit won't reshape Solana DeFi on its own. A $1.34 million loss rarely does. But as a data point in a year of mounting attacks and AI-assisted vulnerability hunting, it's a useful reminder that the most dangerous code in a protocol is sometimes the code everyone agreed to stop thinking about.
What to watch: the official post-mortem, any move to reimburse affected LPs, and whether other Solana projects start quietly purging their own deprecated pools before the next scan finds them.