The attacker exchanged the loot for 810 ETH before dispersing it.
deBridge, Tornado Cash and FixedFloat were used to hide the trail.
The decentralized exchange, Raydium, suffered an exploit of approximately USD 1.3 million in five legacy liquidity pools on the Solana network, an incident that was reported on June 10, 2026. The exploit originated in a vulnerability present in old versions of Raydium’s AMM V3, a system that has been deprecated since 2021.
The attacker created a fake LP token and used it to exploit a flaw in the validation of smart contracts, which verified the supply of the token but not the address of andmission associated. That difference allowed the attacker to burn the fake token and will withdraw 100% of the reserves stored in five inactive pools of the protocol.
The affected pools They were created during the integration stage with Serum and later discontinued in Solana. Among them were the pairs Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY and RAY-SOL. Altogether, the attacker managed to steal approximately 150,177 RAY, 5,603 SOL and 893,700 USDC.
According to data from the incident analysis, the attacker’s wallet was initially funded through the KuCoin exchange. Subsequently, the funds were transferred to the Ethereum network through the deBridge protocol, where The attacker converted approximately 810 ETH before dispersing it through mixing services such as Tornado Cash and FixedFloat to make them difficult to track.
Raydium confirmed the incident through its technical team and highlighted that no active users were affected. The reason is that the compromised pools were not accessible from its interface, SDK or DApp for years, since they had been removed from operation after internal protocol migrations. In response, The team announced that it will reimburse 100% of the losses with funds from its treasury and that it will enable a complaints system through a public spreadsheet, while reviewing other old programs to confirm that the vulnerability does not extend to active versions.
The incident reopens the debate about the persistence of the so-called “zombie code” in DeFi, that is, smart contracts that are abandoned but remain executable on cryptocurrency networks. Although they are not part of the actual operation of the protocols, they may retain locked value or vulnerable logic that remains exposed indefinitely.
Likewise, beyond the specific impact, The case is part of a broader trend within the ecosystem. In April 2026 alone, more than 34 hacks were recorded in decentralized finance protocols, with losses that reached approximately USD 635 million, accounting for 78% of the total stolen so far this year, as reported by CriptoNoticias. In that same period, incidents such as Drift Protocol or Kelp DAO showed that attack vectors range from governance failures to critical infrastructure compromises, expanding the risk surface across the sector.
In this context, The Raydium exploit does not stand out for its magnitude, but for its nature: It did not affect active systems of the protocol, but rather components that continued to be executable in the chain despite having been taken out of use. These types of incidents reinforce an increasingly visible dynamic in DeFi, where risk is not limited to the infrastructure in operation, but can also emerge from contracts that remain accessible even if they are no longer part of the daily operation of the protocol.