Raydium, a Solana-based decentralized protocol, reported an exploit on Wednesday joining Humanity and Token of Power in the list of breached DeFi protocols this week. The attack hit Raydium’s obsolete version of the platform’s Automated Market Maker software, dubbed AMM V3.
After multiple onchain intelligence firms including PeckShield flagged the exploit, the official X handle of Raydium Infra posted an update detailing the incident. It highlighted that the funds tied to the current users of the protocol are unaffected by the incident.
Biopsy of the attack
When users supply liquidity to Raydium, they receive Liquidity Provider (LP) tokens as redemption tickets. Later, that ticket to get your money back. The system is supposed to calculate exactly how much money users get based on the ticket they hold.
In order to execute the attack, the exploiter targeted a critical logic flaw hidden within the verification parameters of the older code. Because the AMM V3 protocol has been dormant since 2021, regular software updates were not being deployed to its code.
The hacker first generated fake, counterfeit LP tokens worth $1.34 million and presented it to the AMM V3 system.
The old code failed to verify the ticket’s authenticity and fell for the trick. The legacy pool bypassed its own math checks and handed the hacker $1.34 million worth of real crypto. A total of 893,700 USDC, 5,603 SOL, and 150,177 RAY tokens were stolen as part of the attack.
“Legacy AMM V3 was previously only enabled to use deposited funds to place orders on the Serum order book. The program did not provide swap functionality and following the deprecation of Serum, the associated liquidity remained idle,” Raydium noted.
The project’s team also vouched that they will use funds from Raydium’s own backup treasury to fully reimburse the lost funds — ensuring that those who actually owned that idle money will lose a dime.
The protocol maintains that the exploit has not happened because of a key compromise or authority-level issue.
“Raydium’s current programs are unaffected by this exploit. @Raydium core contributors are conducting a security review on all mainnet programs,” the update noted. “The market value of assets exploited is $1.34m. Full compensation will be handled by Raydium’s treasury.”
Intelligence firms on alert amid rising threats around DeFi
Security firm PeckShield said the attacker was initially funded from the KuCoin crypto exchange. The stolen funds are already being wired into automated, non-custodial exchange FreeFloat and crypto mixer platform TornadoCash.
Earlier this week, over $1.5 million were stolen from DeFi project Token of Power ($TOP). The exploit had hit the project’s Balancer V1 liquidity pool — automated trading vault that held a 50-50 mix of $TOP tokens and Wrapped Ethereum (WETH), a tradeable version of the standard ETH token.
This week itself, blockchain-based digital identity project Humanity Protocol was breached for $36 million in user funds via an employee’s compromised laptop.
