Raydium Legacy AMM V3 Exploited for $1.34M Through LP Mint Flaw

Raydium's deprecated Legacy AMM V3 program suffered a $1.34 million exploit on June 10 after an attacker bypassed LP mint validation checks in idle pools. The vulnerability allowed the attacker to create a fake liquidity provider (LP) mint, draining five unused pools without compromising any private keys or affecting the protocol's active mainnet infrastructure.

The attack exploited a specific logic flaw in the Legacy AMM V3 smart contract where proportion checks during LP minting were insufficiently validated. By constructing a fraudulent LP mint, the attacker circumvented safeguards designed to ensure deposits matched the pool's asset ratios. The five pools targeted were inactive, containing only residual liquidity from earlier operations. Raydium's current mainnet programs and software development kit (SDK) remain fully operational and unaffected by the breach.

Raydium, one of Solana's largest automated market makers (AMMs) by trading volume, has been actively migrating users to newer protocol versions over the past two years. The Legacy AMM V3 represents older infrastructure that, while deprecated, remained accessible on-chain. This exploit underscores a recurring challenge in DeFi: the persistence of legacy code long after it has been superseded. Unlike traditional software where deprecated versions can be removed from servers, blockchain-based smart contracts remain permanently executable once deployed, creating lingering security surface area.

The $1.34 million loss remained confined to abandoned pools. Raydium's active trading infrastructure and user-facing liquidity pools were never at risk. The protocol's total value locked (TVL) across active pools exceeds $400 million, placing the loss in context as a contained incident rather than a systemic failure. No user funds held in current Raydium programs were compromised.

The incident highlights the importance of rigorous deprecation procedures in DeFi. Protocols transitioning users to new versions face a choice: formally sunset legacy contracts through governance, implement additional access controls, or monitor for exploits indefinitely. Raydium has not yet announced whether it will implement additional safeguards on the Legacy AMM V3 or pursue a formal deprecation through its governance token.

This exploit joins a growing list of vulnerabilities in dormant DeFi contracts. The pattern suggests that as protocols accumulate multiple versions over time, security teams must account for legacy code in their ongoing maintenance processes, not treat deprecation as a clean handoff to users. For Raydium's active user base, the incident poses minimal direct risk but serves as a reminder that using current versions and monitoring official announcements remains critical in DeFi.