Raydium, one of the largest decentralized exchanges on Solana, confirmed on June 10, 2026 that an attacker pulled roughly $1.34 million out of five deprecated liquidity pools tied to its retired AMM V3 program. The exchange said no current users lost funds and that its treasury will cover the full amount. The disclosure was reported by CoinGecko and confirmed in Raydium's own update.
The drained pools were old Serum-era markets that stopped being routed through the official interface years ago: Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL. According to Raydium, the assets taken came to about 893,700 USDC, 150,177 RAY, and 5,603 SOL. With Solana trading near $64.37 as of June 11, 2026, the SOL portion alone is worth around $360,000.
A program that was supposed to be dead
The AMM V3 program was phased out in 2021 after the collapse of the Serum order book it relied on. The pools were never accessible through Raydium's current UI, SDK, or DApp, so to a normal user they had effectively vanished. The code, though, stayed deployed on-chain, and that is the part that matters. A smart contract does not stop existing because a front end stops pointing at it. Anyone who can construct the right transaction can still call it directly.
Raydium's modern infrastructure was untouched. Its concentrated liquidity pools and AMM V4 program kept routing the bulk of activity, leaving the platform's roughly $777 million in total value locked and $148 million in daily volume running through code the attacker never reached, per Raydium's figures. The damage was contained to the forgotten corner of the system.
The flaw was in how LP tokens got minted
The reported root cause sits in the liquidity-provider mint logic of the old program. Raydium said the AMM V3 code "did not properly verify the LP mint address," which let the attacker supply a fake mint and slip past the checks that are meant to keep a deposit proportional to the pool. With those guardrails bypassed, the attacker could mint LP tokens that did not correspond to real value and redeem them against the genuine reserves sitting in the pools.
That class of bug is unglamorous and specific, which is the point. This was not a flash-loan price oracle game or a governance takeover. It was a validation gap in deprecated code that nobody was watching, exploited because it was still callable. Decrypt placed the incident inside a wider run of DeFi attacks in 2026, a year in which abandoned and legacy contracts have repeatedly turned into the soft entry point.
Treasury reimbursement instead of a negotiation
Rather than open a public plea to the attacker or wait on a bounty, Raydium said treasury funds will fully reimburse the affected assets. That is a meaningful distinction from the recovery limbo many protocols end up in after a drain. Because the loss is small relative to the project's reserves and no active user balances were involved, Raydium can absorb it directly and close the matter without socializing the damage across current liquidity providers.
For users, the practical takeaway is narrow but real. The funds at risk were not yours unless you were among the few holding positions in a 2021-era Sollet market, which the exchange says no one was through its official surfaces. The reputational question is larger than the dollar figure: a top Solana venue left exploitable code live for years.
The custody lesson underneath the headline
Incidents like this are why on-chain spending and self-custody options come with their own homework. When you spend a stablecoin balance like USDC directly from a wallet or route funds through a Solana app such as Solflare, the security model is the contract code, not a support desk. A custodial card provider can freeze and reissue. A non-custodial flow cannot, which is the tradeoff behind every comparison on the crypto card hub. Smart-contract risk does not disappear because an interface looks clean; it lives in whatever the chain will still execute.
The encouraging detail here is the response. Raydium isolated the blast radius to dead code, kept its live systems running, and chose to make affected parties whole from its own reserves rather than drag out a recovery. That is roughly the best version of how a $1.34 million exploit can end.
Overview
An attacker exploited an LP mint validation flaw in Raydium's retired AMM V3 program to drain about $1.34 million from five deprecated Solana pools on June 10, 2026. The haul included roughly 893,700 USDC, 150,177 RAY, and 5,603 SOL. No active users were affected, the exchange's modern CLMM and AMM V4 systems were untouched, and Raydium said its treasury will fully reimburse the loss. The episode is a reminder that deprecated on-chain code stays callable long after a front end retires it.
