← Back to archive
Hack·resolved

Raydium Retired AMM Exploit Drained Five Inactive Pools

Raydium said a retired Solana AMM program was exploited on 2026-06-10, draining roughly $1.34 million from five inactive liquidity pools, with the treasury designated to compensate affected users.

Abstract

On 2026-06-10, Raydium said a retired automated market maker program on Solana was exploited, with roughly $1.34 million drained from five inactive liquidity pools.<sup class="cite">[1]</sup><sup class="cite">[2]</sup><sup class="cite">[3]</sup> The principal documented mechanism was therefore an exploit affecting legacy smart-contract infrastructure rather than active pools, although the present record does not establish the specific technical flaw that enabled the drain. Raydium further said that affected users would be compensated and that treasury resources would cover the losses.<sup class="cite">[4]</sup><sup class="cite">[5]</sup> Severity was limited relative to larger archive losses but material in demonstrating residual risk in retired code paths. What is established is the date, affected component class, number of pools, and stated compensation plan; what remains contested or unverified includes root cause, attacker attribution, transaction-level tracing, and any recovery outcome.

Methodology

This post-mortem relies on the structured incident brief, its cited public reporting, the event timeline, and the comparative analytics supplied for archive context. The verification standard applied here is conservative: only facts explicitly stated in the brief are treated as established, and unresolved elements are described conditionally or as unconfirmed. Because the present record does not include court filings, audit reports, transaction hashes, wallet addresses, or protocol-authored technical disclosures beyond the summarized public statement, the analysis is limited to documented chronology, stated impact, and cross-event comparison within the archive.

Raydium said that a retired automated market maker program was exploited on 2026-06-10, producing a loss event on Solana that affected legacy liquidity infrastructure rather than currently described active pools.[1] The documented loss was roughly $1.34 million, and the affected set consisted of five inactive Raydium liquidity pools.[2][3] On the present record, the incident is best understood as a smart-contract failure involving residual exposure in a retired system, although the dossier does not establish the exact bug, privilege path, or state transition that permitted the drain.

The earliest pivotal fact established in the record is Raydium’s statement that the retired AMM program itself was exploited on 2026-06-10.[1] That framing matters because it places the incident in the category of legacy-contract compromise rather than a front-end issue, governance action, or market-manipulation event. The brief does not indicate that the affected pools were active at the time; instead, it identifies five inactive liquidity pools as the assets impacted by the exploit.[3] In practical terms, the event appears to have involved code or permissions that remained capable of moving value even after the relevant pools were no longer in ordinary use, but the present record does not establish whether that capability arose from an unrevoked authority, an accounting flaw, or another contract-level defect.

The second pivotal fact is the scale and concentration of the loss. Public reporting cited in the brief stated that roughly $1.34 million was drained, and that this amount came from five inactive Raydium liquidity pools.[2][3] No transaction hashes, attacker addresses, or pool-by-pool balances are provided in the dossier, so the sequence by which the funds were extracted cannot be reconstructed here at transaction level. It has therefore not been established, as of 2026-06-15, whether the exploit was executed in a single transaction or across multiple calls, whether the pools shared a common administrative dependency, or whether the same flaw could have affected additional dormant contracts that happened not to hold material balances. What is documented is narrower: a retired AMM program was the locus of compromise, five inactive pools were affected, and the resulting loss was roughly $1.34 million.[1][2][3]

The available chronology also indicates that the protocol’s immediate public response focused on loss coverage rather than technical disclosure. Raydium said impacted users would be compensated, and the treasury said it would cover the losses.[4][5] That statement established an intended financial remediation path at the protocol level, but it did not by itself establish execution details such as eligibility criteria, timing, claims mechanics, or whether compensation had already been distributed. The distinction is material: a stated intent to compensate is not the same as a completed reimbursement process. As of the present record, the compensation plan has been announced, but the dossier does not document completed payouts, a recovery percentage, or any return of funds from the exploiter address set.[4][5]

From a mechanism perspective, the incident illustrates a recurrent failure mode in decentralized-finance systems: software or authorities associated with retired components can remain economically live after operational retirement. Here, the protocol statement tied the exploit specifically to a retired AMM program, while the drained assets were located in inactive liquidity pools.[1][2][3] That combination suggests that deprecation did not fully eliminate extractable value from the affected contract environment. The brief’s pattern labels identify single_point_of_control and absence_of_withdrawal_monitoring as relevant lessons, but the dossier does not provide enough technical detail to determine exactly how those patterns manifested in this case. It has not been established whether a single privileged key, a retained upgrade path, a stale authority, or a contract logic edge case was the operative control weakness. Likewise, the record does not establish whether monitoring failed to detect anomalous withdrawals in real time or whether the event was identified only after funds had already left the pools.

The lack of technical specificity also constrains interpretation of the term “retired.” In protocol operations, retirement can mean that a contract is no longer routed to by the front end, no longer recommended for use, or no longer expected to receive new deposits; it does not necessarily mean that all authorities have been revoked or that all balances have been withdrawn. The documented facts here are consistent with that broader operational distinction: the affected pools were inactive, yet still held enough value for roughly $1.34 million to be drained when the retired AMM program was exploited.[2][3] Without contract-level disclosures, however, it remains unverified whether the exploit depended on dormant balances being left in place, on a permissions model that remained valid after retirement, or on some other latent condition in the legacy deployment.

The documented consequences were primarily financial and operational. The immediate material impact was the loss of roughly $1.34 million from five inactive liquidity pools tied to the retired AMM program.[1][2][3] The principal announced resolution measure was that impacted users would be compensated and that treasury resources would cover the losses.[4][5] The present dossier does not document litigation, regulatory action, law-enforcement involvement, technical patch notes, or any on-chain recovery. It therefore establishes the occurrence of the exploit and the stated compensation commitment, but not a completed legal or technical resolution.

Discussion

Within CryptoMortem’s archive, this incident ranked #39 of 45 by severity, placing it in the 15.6th percentile overall, and #23 of 26 within the hack category. That positioning indicates a comparatively small loss event in dollar terms, even though the mechanism remains analytically important because it involved residual exposure in retired smart-contract infrastructure. The archive contained 46 total events, with 16 in the 12 months preceding this incident, so the case occurred in a period of continued incident density rather than in isolation. The assigned attack vector, smart_contract_bug, had 5 prior events in the archive with cumulative $0.31B affected and mean recovery 50.0%; 1 was fully recovered and 1 had low/no recovery. Against that comparison set, the present case fit a known but not dominant failure class, and its unresolved recovery status remained notable because smart-contract incidents in the archive have not converged on a uniform remediation pattern. By contrast, the broader hack category included 12 other records with mean recovery 91.6% and mean resolution 465 days, suggesting that category-level averages may obscure materially weaker outcomes for contract-specific failures. The pattern labels are also significant. single_point_of_control had been observed in 21 prior events, including 5 in the past 12 months, while absence_of_withdrawal_monitoring had appeared in 9 prior events, including 4 in the past 12 months. Even without a fully disclosed root cause, the recurrence counts indicate that legacy permissions, concentrated control paths, and insufficient withdrawal detection remained persistent structural issues across the archive. In that sense, the Raydium event was not exceptional in scale, but it was representative of a repeatedly catalogued operational weakness: decommissioned systems can remain economically reachable after they are no longer treated as active products.

Comparative analytics

All comparisons computed against the 46-event CryptoMortem archive at time of publication.

  • Severity rank across full archive: #39 of 45 (15.6th percentile).
  • Severity rank within same event type: #23 of 26.
  • Attack vector "Smart Contract Bug": 5 prior events in archive, cumulative $311M, mean recovery 50.0%; 1 fully recovered, 1 with low or no recovery.
  • Event type "Hack": 12 other records in archive, mean recovery 91.6%, mean resolution 465 days.
  • Pattern "Single Point Of Control": observed in 21 prior events (5 in the past 12 months).
  • Pattern "Absence Of Withdrawal Monitoring": observed in 9 prior events (4 in the past 12 months).
  • Archive context: 46 events catalogued; 16 in the 12 months preceding this incident.

Limitations

The present record is narrow. It does not establish the technical root cause of the exploit, so the specific contract flaw, authority misuse, or execution path remains unresolved. It also does not identify an attacker or provide attribution, and therefore no conclusion can be drawn about whether the exploit was opportunistic, insider-enabled, or linked to prior activity. In addition, the dossier does not provide on-chain transaction hashes, wallet addresses, or a recovery percentage, which prevents transaction-level reconstruction and prevents verification of any fund movements after the drain. The compensation plan is documented as a protocol statement, but the present materials do not establish whether reimbursements have been completed or on what timetable.

Timeline

  1. Exploit hits retired AMM program

    Raydium said a retired AMM program was exploited, affecting inactive liquidity pools.

    source →
  2. About $1.34 million drained

    The exploit drained roughly $1.34 million from five inactive Raydium liquidity pools.

    source →
  3. Treasury says it will cover losses

    Raydium said the treasury would cover the losses and impacted users would be compensated.

    source →

Who was involved

Structural failures identified

Sources

  1. Raydium DEX says $1.34 million exploit hit retired AMM program, treasury to cover losses, The Block — Exploit amount, affected pools, compensation plan, and retired AMM program context