Raydium Core Contributor: Stolen Assets to Be Fully Compensated, Current Mainnet Programs Unaffected

Odaily reported that Raydium core contributor InfraRAY stated on platform X that the team has confirmed an attack on the old AMM V3 program, which had been discontinued since 2021. The attacker has unauthorizedly removed some liquidity, but this incident does not affect current Raydium users. Furthermore, the affected liquidity pools have been inaccessible via the official Raydium UI since their deactivation, and the Raydium SDK and DApp also do not support operations on the old AMM V3 pools on the mainnet.

The five affected liquidity pools are: Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL. Preliminary estimates indicate stolen assets include approximately 150,177 RAY, 5,603 SOL, and 893,700 USDC, with a total value of around $1.34 million. Related losses will be fully compensated from the treasury.

Investigations show that the vulnerability stems from insufficient verification of LP token mint addresses. The attacker bypassed the protocol's proportional validation mechanism by creating new LP tokens and impersonating legitimate LP tokens, thus withdrawing funds. However, this incident is an isolated logic vulnerability, not caused by a private key leak or permission breach, and there is no risk of contagion. Currently, all active Raydium mainnet programs remain unaffected.