On June 10, an attacker drained roughly $1.34 million from Raydium, the largest decentralized exchange on Solana, without touching a single active user position. The exploit hit five liquidity pools tied to Raydium’s legacy AMM V3 program, code deprecated in 2021 after the Serum protocol was sunset, but never fully wound down on-chain. The haul: approximately 150,177 RAY, 5,603 SOL, and 893,700 USDC from the Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL pools. Raydium has pledged a full refund from its treasury, and its current CLMM and newer AMM pools were unaffected. The lesson is not about Raydium’s response, which was fast and clean. It is about the attack surface nobody audits: the code you retired but never killed.
The root cause was insufficient validation of the LP mint: the attacker created a fraudulent liquidity provider mint and used it to bypass the checks that should have blocked withdrawal, a self-contained logic flaw sitting dormant in five-year-old contracts. The laundering trail was textbook 2026: initial funding through KuCoin, stolen funds bridged from Solana to Ethereum, then per PeckShield roughly 810 ETH deposited into Tornado Cash and 7 ETH to FixedFloat, from exploiter address 4WnPebowR4HHfumvNPaDjG6Pa5Hi1jxLm6xmmBq33QVk. Two days earlier, Yuga Labs was running its white-hat counter-operation to rescue $500,000-plus in Bored Apes and CryptoPunks from the Flooring Protocol exploit, where gas-optimized code hid two underflows from auditors and the architect suspected AI-assisted attack tooling. Different chains, different vectors, same week, same conclusion.
The Week’s Pattern: Dead Code, Live Money
June 2026 is producing a security taxonomy in real time. Humanity Protocol: compromised keys plus proxy admin takeover, $32 million, ZachXBT calling it possibly staged. Flooring Protocol: gas-optimization underflows invisible to auditors, blue-chip NFTs drained, white-hat rescue required. Raydium: deprecated contracts left live on-chain with a validation flaw, $1.34 million gone through code with no users. Decrypt grouped them correctly: a growing list of DeFi exploits and major vulnerability discoveries, some fueled by AI tools, landing in the same fortnight as the Zcash disclosure where an AI model found a four-year-old counterfeiting bug. The attackers have new tools and old targets. Every contract a protocol has ever deployed is still in scope, forever, whether the team remembers it or not.
June 2026 Exploit Ledger: Three Attacks, Three Different Failures
All within ten days | @cryptonewsbytes
Sources: Decrypt, Protos, CryptoTimes, crypto.news, PeckShield, CNB coverage | @cryptonewsbytes
The Practical Part: A Security Checklist for Blue-Chip Holders
If you hold BAYC, CryptoPunks, or any high-value on-chain asset, this week’s events translate into specific actions. First, audit your approvals: use revoke.cash or Etherscan’s token approval checker and revoke every allowance you do not actively need, especially for protocols you used once in 2021, because as Raydium just demonstrated, old infrastructure does not die, it waits. Second, never deposit blue-chip NFTs into fractionalization or liquidity protocols without understanding that you are trading custody for yield; the Flooring victims whose apes Yuga rescued were earning marginal returns against catastrophic counterparty risk. Third, separate vault from hot wallet: high-value assets belong in a hardware wallet or multisig that has never signed a DeFi transaction, with a separate wallet for active protocol use.
Fourth, treat deprecated protocol announcements as exit deadlines, not suggestions; residual funds in retired pools are unguarded funds. Fifth, watch the alert accounts that caught every one of this week’s incidents within minutes: PeckShieldAlert, Specter, ZachXBT, and Blockaid all flagged these exploits before official confirmations. Following them is free insurance. And finally, the uncomfortable one: assume attackers are now running the same AI-assisted analysis that found the Zcash bug, against every contract you have ever interacted with. Security through obscurity ended this month. Security through hygiene is what remains.
Frequently Asked Questions
Are my funds on Raydium safe right now?
Current Raydium pools, including the CLMM and newer AMM versions, were not affected; the exploit only touched five pools deprecated in 2021 that were inaccessible through Raydium’s interface. Raydium has pledged full reimbursement from its treasury for any residual funds in the affected legacy pools. The practical takeaway for users is broader: if you ever provided liquidity to any protocol’s old version, check whether those positions still exist and withdraw them.
Why could the attacker still use Tornado Cash?
Tornado Cash was removed from the US Treasury’s sanctions list in March 2025 following court rulings, making the mixer legally accessible again, though using it to launder stolen funds remains criminal. PeckShield tracked roughly 810 ETH of the Raydium proceeds into Tornado Cash. The attacker’s initial funding through KuCoin is the investigative anchor: KYC records at the regulated exchange could provide attribution despite the mixing.
Further Reading
The full Flooring story: the underflows, the white-hat operation, and the AI-tooling suspicion.
The week’s biggest exploit and the proxy-admin question the team has not answered.
The white-hat side of the AI security arms race that this month made unavoidable.
This article is for informational purposes only and does not constitute financial advice. Sources: Decrypt, Protos, CryptoTimes, crypto.news, CryptoBriefing, PeckShield, Specter, Raydium (0xINFRA) statements. Published June 12, 2026.

