Raydium Exploit Drains $1.34M From Old Liquidity Pools

Five liquidity pools. About $1.34 million gone. And every one of them had already been mothballed by the protocol that ran them.

That's the short version of what happened to Raydium on Wednesday, when the Solana-based decentralized exchange watched an attacker drain funds from an aging corner of its codebase. By the standards of crypto's worst weeks, the figure isn't enormous. But the details are the interesting part, because they say something uncomfortable about what protocols leave lying around after they upgrade.

The pools nobody was supposed to be using

The affected pools came from an older version of Raydium's automated market maker, the program that quotes prices and matches trades without an order book. Five of them, all flagged as deprecated. That means the exchange had already moved its active liquidity elsewhere and stopped pointing users toward this version.

Deprecated isn't the same as dead, though. The contracts still held funds and still ran their original logic. That's the gap an attacker found and walked through, according to the early accounting reported by Decrypt.

It's a familiar shape of failure. Teams ship a new version, declare the old one retired, and turn their attention forward. Meanwhile the legacy code sits onchain, immutable, doing exactly what it was written to do years earlier (including whatever it was written to do badly). Nobody monitors it as closely. Nobody audits it again. And the money inside doesn't evaporate just because the front end stopped linking to it.

For context on scale: Raydium's RAY token was trading around $0.58 at the time, so $1.34 million is real money but hardly an existential dent for one of Solana's larger DEXes. The reputational cost is the part that lingers.

Why a Raydium exploit lands harder than the dollar figure

A seven-figure loss in DeFi barely registers some quarters. The reason this one matters is the category it belongs to.

Exploits that target abandoned or deprecated contracts are a tell. They suggest attackers are doing the patient, unglamorous work of reading old code that everyone else has stopped looking at. That's a different threat than a flash-loan opportunist chasing a fresh listing. It's archaeology, and it pays.

The broader backdrop doesn't help. DeFi has been bleeding to exploits all year, and the tooling on the attacking side keeps getting sharper. Researchers and bad actors alike have started pointing AI models at smart-contract code to surface vulnerabilities faster than humans reading line by line. That cuts both ways, obviously. The same scanning that helps a security firm find a bug before launch helps someone else find it in a contract that launched two years ago.

Which, frankly, was always going to happen. Onchain code is public by design. The audit asymmetry (defenders need to find every flaw, attackers need one) gets worse when one side can automate the search.

The deprecation problem, stated plainly

There's a question every protocol with a multi-year history now has to answer: what's still live that you've forgotten about?

Most users assume that when a team says "we've migrated to V3," the old versions are inert. They aren't. They're frozen, and frozen code with a balance is a target that never moves and never patches itself. Pulling liquidity out of a deprecated pool is the cleaner fix, but it requires someone to remember the pool exists and to actually do it. The Raydium incident is a reminder that this housekeeping is security work, not paperwork.

What Raydium has said, and what's still open

As of the initial reports, the exploit was confined to those five deprecated pools rather than the exchange's current, active liquidity. That distinction matters for users wondering whether their funds in the live product were ever at risk. The early signal is that they weren't.

A few things still aren't settled. The exact mechanism of the exploit, how the attacker triggered the drain in those specific contracts, wasn't fully detailed at the time of the first reporting. Neither was whether Raydium intends to reimburse affected liquidity providers, which is the question those depositors actually care about. Some protocols cover losses from a treasury or insurance fund. Others don't, and point to the risks LPs agreed to. We don't know yet which path Raydium takes here.

Then there's the recovery question. Onchain, the stolen funds are visible and traceable, which is both the blessing and the curse of public ledgers. Tracing doesn't equal recovering. Attackers move proceeds through bridges and mixers, and on Solana the laundering routes look different than they do on Ethereum, but they exist. Whether any of the $1.34 million comes back is anyone's guess.

Meanwhile, the wider market barely flinched. SOL was up a few percent on the day, sitting around $65, and RAY held its ground. A million-dollar exploit no longer moves a token's price the way it might have in 2021. Make of that what you will. It either reflects a maturing market that prices in tail risk, or a market that's gotten numb to a problem it hasn't solved.

What to watch next

The immediate thing to track is Raydium's official post-mortem. A credible breakdown of the vulnerability, with the specific pool addresses and the transaction trail, is the difference between a team that understands what hit it and one that's still guessing. The timing of that disclosure, and how candid it is about the LP reimbursement question I flagged above, will tell you most of what you need to know about how they're handling it.

The longer game is what other protocols do now. If the Raydium exploit prompts a round of teams quietly auditing their own deprecated contracts and pulling stranded liquidity, that's a healthy outcome from a bad event. The pools that drained on Wednesday were, after all, the kind every long-running protocol has somewhere in its history.

The ones that don't go looking are betting that the AI-assisted code readers won't find their old contracts first. That's a bet I wouldn't take.