Raydium, a decentralized finance protocol on the Solana blockchain, officially confirmed on June 10, 2026, that it will provide a full refund to users impacted by a $1.34 million exploit.
The security breach targeted the protocol’s deprecated legacy AMM V3 program pools and resulted in the theft of USD Coin (USDC), Raydium (RAY), and Wrapped SOL (wSOL). Raydium management has committed to covering the total compensation through its own treasury.
The incident came to light following a suspected exploit that occurred on June 3, 2026. After a week of investigation, the team confirmed the scope of the losses and the specific pools affected. Blockchain data reveals that the attacker moved the stolen assets from the Solana network to Ethereum via cross-chain bridges.
The funds were then deposited into the Tornado Cash mixing service to obscure their origin.
This swift commitment to a refund aims to stabilize user confidence in the protocol during a period where mid-cap tokens face selling wave pressures. By utilizing treasury funds, Raydium bypasses the need for insurance claims or law enforcement recovery, which is often impossible once funds enter privacy mixers.
The protocol continues to operate its primary trading functions while addressing the fallout from the legacy pool breach.
Security flaws in Raydium’s deprecated liquidity pools
The exploit specifically focused on Raydium’s older, deprecated AMM V3 program. While the platform has moved much of its traffic to newer iterations, these legacy pools still held significant capital. An attacker identified a vulnerability in these aging smart contracts to drain approximately $1.34 million in liquidity.
The method involved extracting assets and immediately bridging them off the Solana chain. By moving USDC and wSOL to Ethereum, the perpetrator likely sought to avoid the possibility of asset freezes that centralized issuers can perform on specific blockchains. This highlights the ongoing risk of maintaining “technical debt” in the form of older, less-monitored code.
As utility shifts dictate 2026 market strategies, the industry is increasingly focused on decommissioning old contracts. Raydium’s experience shows that even pools no longer under active development remain prime targets. The protocol must now reconcile its support for legacy systems with the need for airtight security across all active contracts.
Tracing the movement of assets to Tornado Cash
Once the stolen USDC and RAY reached the Ethereum network, the attacker utilized Tornado Cash to break the on-chain link between the theft and the final destination of the funds. This maneuver is a common tactic used to bypass anti-money laundering (AML) controls. The use of such mixers significantly complicates recovery efforts for decentralized protocols.
Because the funds are now masked, Raydium’s decision to tap its treasury was largely seen as the only viable path to making victims whole. Waiting for a legal or technical recovery of assets from a mixer is rarely successful. This pragmatic approach mirrors how other major DeFi players have handled similar breaches to maintain their market standing.
Comparing the 2026 breach to the December 2022 exploit
This is not the first major security hurdle for Raydium. On December 16, 2022, the protocol suffered a significantly larger exploit that resulted in a loss of roughly $5.5 million. In that historical case, a trojan virus compromised the private key of the Liquidity Pool owner, granting the attacker administrative control.
The 2022 attack was technically distinct, as the hacker manipulated smart contract parameters to treat entire liquidity pools as transaction fees. This allowed the attacker to invoke the `withdrawpnl()` instruction to drain the vaults. While the June 2026 exploit is smaller at $1.34 million, it serves as a stark reminder of the persistent threats facing Solana-based infrastructure.
Lessons learned from previous compensation processes
Raydium is leaning on the blueprint it created during the 2022 recovery. Following that incident, the protocol launched a Claim Portal and used its own unlocked tokens to compensate those who lost RAY. A DAO proposal in late 2022, which passed with over 5.5 million votes, authorized the use of the treasury to purchase missing stablecoins.
The current refund process is expected to follow a similar structured distribution. In the past, the portal remained open for several months to ensure all individual liquidity providers could claim their funds. Raydium has already upgraded several smart contracts to remove the administrative controls that were exploited in the previous incident, though the recent exploit targeted a different vulnerability.
Regulatory pressure and the future of DeFi security
Recurring exploits in the decentralized exchange (DEX) space are drawing increased attention from government bodies. Recent CFTC market oversight claims suggests that regulators are preparing to enforce stricter standards on how DeFi protocols manage user capital and security audits. Raydium’s proactive refund might be a way to demonstrate self-regulation capacity.
If the industry moves toward mandatory insurance or capital reserve requirements, the “refund from treasury” model could become a formalized standard. For now, Raydium users are advised to stay alert for the official launch of the June 2026 refund portal. The team has warned users to verify all links to avoid phishing attempts that often follow such high-profile security events.
The protocol remains active for its v4 pools and primary trading pairs. The technical post-mortem will likely influence how Raydium manages its remaining legacy code. For the broader Solana ecosystem, the incident emphasizes that constant auditing is required not just for new features, but for every line of code still reachable on-chain.