Audit log

Every state-changing event for Raydium AMM: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-05-28 16:29:16Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 422,756,727

   sig

   3mZQtM2iutzx…mMDTNhm3copyexplorer ↗

   hash

   3xpeUvuZCGmu…ki37CWWdcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (17338 B) ▸

   {"actor":"system:backfill","investigation_id":"3bdbd8f5-9034-4441-abcc-78a0ea81e843","kind":"publish","page_slug":"raydium-amm","published_at":"2026-05-28T16:29:16.942Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Raydium AMM","sections":[{"content":"On December 16, 2022 at approximately 10:12 UTC, a malicious actor gained control of the Raydium Pool Owner (Admin) account and exploited eight constant product liquidity pools in the V4 AMM program. The attacker used two mechanisms: first, abusing the withdrawPNL instruction to drain accumulated protocol fees directly from pool vaults; second, using the SetParams instruction with AmmParams::SyncNeedTake to artificially inflate need_take_pc and need_take_coin balances without corresponding trading volume, then repeatedly withdrawing those inflated figures as fees. The primary exploiter wallet was AgJddDJLt17nHyXDCpyGELxwsZZQPqfUsuwzoiqVGJwD; the funding source was 5ndLnEYqSFiA5yUFHo6LVZ1eWc6Rhh11K5CfJNkoHEPs, later identified as a FixedFloat exchange wallet. Raydium's team attributed the private key compromise to a trojan program infecting the virtual machine on which the Pool Owner account was deployed, though no definitive forensic proof was published. Concentrated liquidity (CLMM) pools and the RAY staking program were not affected. At 14:16 UTC on the same day, Raydium deployed a patch revoking the compromised account's authority and updated smart contract ownership to a hardware wallet. On December 17, 2022, further updates removed the exploited admin parameters from the AMM V4 program and transferred remaining admin functions to a Squads multisig. CoinDesk reported that ZachXBT tracked the attacker bridging approximately $2 million of the stolen assets to Ethereum in real time during the incident.","heading":"December 2022 Admin Key Exploit","severity":"critical","sources":[{"credibility":1,"name":"Raydium Detailed Post-Mortem and Next Steps (Official Medium)","type":"official","url":"https://raydium.medium.com/detailed-post-mortem-and-next-steps-d6d6dd461c3e"},{"credibility":2,"name":"CertiK — Raydium Protocol Exploit Incident Analysis","type":"research","url":"https://www.certik.com/resources/blog/raydium-protocol-exploit-incident-analysis"},{"credibility":2,"name":"Raydium Protocol — hacker gains god mode access (HackMD writeup)","type":"community_report","url":"https://hackmd.io/@prastut/BkbKKIll2"},{"credibility":2,"name":"QuadrigaInitiative case study — Raydium Private Key Compromised","type":"research","url":"https://quadrigainitiative.com/casestudy/raydiumprivatekeycompromised.php"}]},{"content":"On January 19, 2023, the wallet tagged as 'Raydium Exploiter' (0xb98acc055e331a709a765569eb6854bb2f0c8282 on Ethereum) deposited a total of 1,774.5 ETH (approximately $2.7 million at the time) into Tornado Cash across 42 separate transactions. Tornado Cash had been placed on the U.S. Treasury Office of Foreign Assets Control (OFAC) sanctions list in November 2022, due to its alleged use by state-affiliated threat actors including North Korea-linked Lazarus Group. The deposit of exploit proceeds into a sanctioned protocol rendered recovery of those specific funds effectively impossible and raised questions about the identity and jurisdiction of the attacker. CoinDesk reported the transfers, confirming the wallet address via Etherscan transaction logs. No funds were ultimately returned to Raydium or affected users from this portion of the stolen assets.","heading":"Stolen Funds Laundered via Tornado Cash","severity":"critical","sources":[{"credibility":1,"name":"CoinDesk — Raydium Exchange Exploiter Sends $2.7M to Tornado Cash","type":"news_article","url":"https://www.coindesk.com/business/2023/01/19/raydium-exchange-exploiter-sends-27m-to-tornado-cash/"},{"credibility":2,"name":"CoinTelegraph — Raydium exploiter moves $2.7M to crypto mixer Tornado Cash","type":"news_article","url":"https://cointelegraph.com/news/raydium-exploiter-moves-2-7m-to-crypto-mixer-tornado-cash"},{"credibility":2,"name":"CryptoSlate — Raydium exploiter moves $2.7M to Tornado Cash","type":"news_article","url":"https://cryptoslate.com/raydium-exploiter-moves-2-7m-to-tornado-cash/"}]},{"content":"The December 2022 exploit exposed a fundamental centralization risk in Raydium's original architecture: a single Pool Owner account held authority to withdraw liquidity from multiple pools without requiring any multi-party authorization. Critics, including on-chain security analysts, noted at the time of the attack that the absence of a multisignature requirement for such privileged operations represented a significant design vulnerability. CertiK's post-mortem stated explicitly that 'one wallet was able to withdraw liquidity from multiple pools,' and characterized the incident as a consequence of protocols that 'are not fully decentralized' requiring accounts with access to 'critical network controls.' The team had originally deployed the admin key on an internal virtual machine rather than in hardware-secured cold storage with access controls. In the immediate aftermath, Raydium migrated admin authority to a hardware wallet (December 16) and then to a Squads multisig (December 17). As of 2025, Raydium updated program admin authority to Squads V4 with a 24-hour timelock.","heading":"Centralization Risk and Admin Key Architecture","severity":"high","sources":[{"credibility":2,"name":"CertiK — Raydium Protocol Exploit Incident Analysis","type":"research","url":"https://www.certik.com/resources/blog/raydium-protocol-exploit-incident-analysis"},{"credibility":1,"name":"Raydium Detailed Post-Mortem and Next Steps (Official Medium)","type":"official","url":"https://raydium.medium.com/detailed-post-mortem-and-next-steps-d6d6dd461c3e"},{"credibility":1,"name":"Raydium Security Docs","type":"official","url":"https://docs.raydium.io/raydium/protocol/security"}]},{"content":"Following a community governance vote that passed on December 30, 2022 with 5,598,814 approvals, Raydium implemented a phased compensation plan for affected liquidity providers. Pools containing RAY (RAY-USDC, RAY-SOL, RAY-USDT) were eligible for 100% principal recovery; six other pools (SOL-USDC, SOL-USDT, stSOL-USDC, whETH-USDC, and others) received 90% recovery in native assets plus the remaining 10% covered in RAY tokens at a 1:1.2 ratio (providing $1.20 in RAY per $1 of unrecovered loss). RAY pricing for compensation was calculated using a 30-day TWAP of $0.1813 (December 6, 2022 through January 3, 2023). Team-vested RAY tokens were used to fund the RAY-denominated portions of compensation. The claim portal opened January 5, 2023 and was extended through May 14, 2023 to accommodate third-party integrations including Francium and Tulip leveraged vault positions. The compensation plan did not achieve 100% recovery for all affected pools, and the non-RAY pool shortfall of 10% of principal was partially offset with bonus RAY rather than stablecoins.","heading":"User Compensation Program","severity":"medium","sources":[{"credibility":1,"name":"Raydium — Compensation Plan and Next Steps (Official Medium)","type":"official","url":"https://raydium.medium.com/compensation-plan-and-next-steps-367246a62277"},{"credibility":1,"name":"Raydium Docs — Claim Portal Archive","type":"official","url":"https://docs.raydium.io/raydium/updates/archive/claim-portal"},{"credibility":2,"name":"CoinTelegraph — Raydium announces details of hack, proposes compensation","type":"news_article","url":"https://cointelegraph.com/news/raydium-announces-details-of-hack-proposes-compensation-for-victims"}]},{"content":"On January 10, 2024, a whitehat researcher identified as @riproprip reported a critical vulnerability in Raydium's CLMM (concentrated liquidity) program via Immunefi. The vulnerability existed in the increase_liquidity.rs function and involved improper validation of the tickarray_bitmap_extension account. An attacker exploiting this flaw could have manipulated liquidity at arbitrary price points by flipping tick statuses, potentially enabling unauthorized liquidity drains from CLMM pools. Raydium patched the vulnerability promptly. The whitehat was awarded a $505,000 bounty in RAY tokens, the maximum payout under Raydium's Immunefi program. No funds were lost as a result of this vulnerability.","heading":"January 2024 CLMM Tick Manipulation Vulnerability","severity":"high","sources":[{"credibility":2,"name":"Immunefi — Raydium Tick Manipulation Bugfix Review","type":"research","url":"https://immunefi.com/blog/bug-fix-reviews/raydium-tick-manipulation-bugfix-review/"},{"credibility":2,"name":"Immunefi Medium — Raydium Tick Manipulation Bugfix Review","type":"research","url":"https://medium.com/immunefi/raydium-tick-manipulation-bugfix-review-c6aae4527ed6"}]},{"content":"Raydium was founded by a pseudonymous team using the pseudonyms AlphaRay (strategy), XRay (technology), and GammaRay (marketing), with additional core contributors known as StingRay and RayZor. The team has stated publicly that they come from an algorithmic trading background in commodities, transitioning to crypto market-making around 2017, but no real identities have been publicly confirmed. The use of fully anonymous founding teams is a recognized risk factor in the DeFi space, as it limits accountability in the event of negligent key management, rug pulls, or regulatory action. In Raydium's case, the anonymity of the team meant that the December 2022 exploit investigation could not involve external identity verification of responsible parties. Governance over protocol parameters is conducted through RAY token holder votes and, since December 2022, through the Squads multisig for smart contract upgrades.","heading":"Team Anonymity and Governance","severity":"medium","sources":[{"credibility":2,"name":"BeinCrypto — What Is Raydium (RAY)?","type":"news_article","url":"https://beincrypto.com/learn/raydium-ray/"},{"credibility":3,"name":"IQ.wiki — AlphaRay","type":"other","url":"https://iq.wiki/wiki/alpharay"},{"credibility":2,"name":"TokenInsight — Raydium Team and Founder","type":"research","url":"https://tokeninsight.com/en/coins/raydium/team"}]},{"content":"Following the December 2022 exploit, Raydium undertook a series of documented security upgrades. The AMM V4 program was patched to remove the five admin parameters that had been exploited, including the SetParams and withdrawPNL vectors. OtterSec conducted audits of the updated AMM, the CLMM program, and the staking program in late 2022 and early 2023. MadShield audited the OpenBook integration (Q2 2023) and the CPMM (constant product market maker) in Q1 2024. A bug bounty program via Immunefi offers up to $505,000 for critical findings. As of 2025–2026, Raydium remains one of the largest DEX protocols on Solana by TVL (reported at approximately $1–2.5 billion depending on timeframe) and daily trading volume. Coinbase discontinued RAY perpetual futures in April 2026 as part of a broader 25-product review, though spot trading of RAY continued. The protocol's program admin authority has been migrated to Squads V4 with a 24-hour timelock as an additional safeguard against single-key compromise.","heading":"Security Improvements and Current Status","severity":"low","sources":[{"credibility":1,"name":"Raydium Security Docs","type":"official","url":"https://docs.raydium.io/raydium/protocol/security"},{"credibility":1,"name":"Raydium Bug Bounty — Immunefi","type":"official","url":"https://immunefi.com/bug-bounty/raydium/"},{"credibility":2,"name":"AMBCrypto — What is Raydium and is It Safe to Use in 2025?","type":"news_article","url":"https://ambcrypto.com/blog/what-is-raydium-and-is-it-safe-to-use-in-2025/"},{"credibility":2,"name":"DeFiLlama — Raydium TVL","type":"on_chain","url":"https://defillama.com/protocol/raydium"}]}],"sources_used":[{"credibility":1,"name":"Raydium Official Post-Mortem (Medium)","type":"official","url":"https://raydium.medium.com/detailed-post-mortem-and-next-steps-d6d6dd461c3e"},{"credibility":1,"name":"CoinDesk — Raydium Exploiter Sends $2.7M to Tornado Cash","type":"news_article","url":"https://www.coindesk.com/business/2023/01/19/raydium-exchange-exploiter-sends-27m-to-tornado-cash/"},{"credibility":2,"name":"CertiK — Raydium Protocol Exploit Incident Analysis","type":"research","url":"https://www.certik.com/resources/blog/raydium-protocol-exploit-incident-analysis"},{"credibility":2,"name":"CoinTelegraph — Raydium announces details of hack, proposes compensation","type":"news_article","url":"https://cointelegraph.com/news/raydium-announces-details-of-hack-proposes-compensation-for-victims"},{"credibility":1,"name":"Raydium Compensation Plan (Medium)","type":"official","url":"https://raydium.medium.com/compensation-plan-and-next-steps-367246a62277"},{"credibility":1,"name":"Raydium Docs — Security","type":"official","url":"https://docs.raydium.io/raydium/protocol/security"},{"credibility":1,"name":"Raydium Docs — Claim Portal Archive","type":"official","url":"https://docs.raydium.io/raydium/updates/archive/claim-portal"},{"credibility":2,"name":"Immunefi — Raydium Tick Manipulation Bugfix Review","type":"research","url":"https://immunefi.com/blog/bug-fix-reviews/raydium-tick-manipulation-bugfix-review/"},{"credibility":2,"name":"DeFiLlama — Raydium TVL","type":"on_chain","url":"https://defillama.com/protocol/raydium"},{"credibility":1,"name":"Immunefi — Raydium Bug Bounty","type":"official","url":"https://immunefi.com/bug-bounty/raydium/"},{"credibility":2,"name":"HackMD — Raydium Protocol exploit writeup","type":"community_report","url":"https://hackmd.io/@prastut/BkbKKIll2"},{"credibility":2,"name":"CryptoSlate — Raydium exploiter moves $2.7M to Tornado Cash","type":"news_article","url":"https://cryptoslate.com/raydium-exploiter-moves-2-7m-to-tornado-cash/"},{"credibility":2,"name":"BeinCrypto — What Is Raydium (RAY)?","type":"news_article","url":"https://beincrypto.com/learn/raydium-ray/"},{"credibility":2,"name":"QuadrigaInitiative — Raydium Private Key Compromised Case Study","type":"research","url":"https://quadrigainitiative.com/casestudy/raydiumprivatekeycompromised.php"}],"summary":"Raydium is a leading Solana-based automated market maker (AMM) and decentralized exchange (DEX) launched in February 2021 by a pseudonymous team. On December 16, 2022, a compromise of the protocol's admin private key enabled an attacker to drain approximately $4.4 million from eight liquidity pools; the stolen funds were subsequently laundered through Tornado Cash in January 2023. The team implemented a phased compensation plan and post-incident security upgrades, including migration of admin authority to a Squads multisig, but the incident exposed significant centralization risks that were not apparent prior to the exploit.","timeline":[{"date":"2021-02-01","event":"Raydium AMM launched on Solana mainnet by pseudonymous founding team (AlphaRay, XRay, GammaRay).","source":"BeinCrypto","source_url":"https://beincrypto.com/learn/raydium-ray/"},{"date":"2022-12-16","event":"Admin private key compromised, likely via trojan malware. Attacker drains ~$4.4M from eight AMM V4 liquidity pools using withdrawPNL and SetParams exploits. Patch deployed at 14:16 UTC same day.","source":"Raydium Official Post-Mortem","source_url":"https://raydium.medium.com/detailed-post-mortem-and-next-steps-d6d6dd461c3e"},{"date":"2022-12-17","event":"Raydium removes exploited admin parameters from AMM V4 program and transfers remaining admin authority to Squads multisig.","source":"Raydium Official Post-Mortem","source_url":"https://raydium.medium.com/detailed-post-mortem-and-next-steps-d6d6dd461c3e"},{"date":"2022-12-30","event":"DAO governance vote passes (5,598,814 approvals) authorizing compensation plan using DAO treasury and team-vested RAY tokens.","source":"CertiK Exploit Analysis","source_url":"https://www.certik.com/resources/blog/raydium-protocol-exploit-incident-analysis"},{"date":"2023-01-05","event":"Compensation claim portal opens for Phase 1 affected liquidity providers.","source":"Raydium Compensation Plan","source_url":"https://raydium.medium.com/compensation-plan-and-next-steps-367246a62277"},{"date":"2023-01-19","event":"Raydium exploiter deposits 1,774.5 ETH (~$2.7M) into sanctioned mixer Tornado Cash across 42 transactions, effectively laundering the stolen funds.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2023/01/19/raydium-exchange-exploiter-sends-27m-to-tornado-cash/"},{"date":"2023-05-14","event":"Final extension of compensation claim portal closes. Compensation process concluded.","source":"Raydium Docs — Claim Portal","source_url":"https://docs.raydium.io/raydium/updates/archive/claim-portal"},{"date":"2024-01-10","event":"Whitehat @riproprip discloses critical tick manipulation vulnerability in Raydium CLMM via Immunefi. No funds lost. $505,000 RAY bounty awarded.","source":"Immunefi Bugfix Review","source_url":"https://immunefi.com/blog/bug-fix-reviews/raydium-tick-manipulation-bugfix-review/"},{"date":"2026-04-21","event":"Coinbase discontinues RAY perpetual futures contracts as part of a 25-product review; RAY spot trading unaffected.","source":"CoinMarketCap Latest Updates","source_url":"https://coinmarketcap.com/cmc-ai/raydium/latest-updates/"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision b2da0233-2d07-41dd-a20e-1953688b3ba1copy
2. #2reviewby reviewerreviewer

   2026-06-14 23:16:06Z
   Score: 45 → 45 (no score change)
   Blue-chip calibration review (Prompt A). Verdict: over-penalized. Page content is treated as accurate; the trust_score band is miscalibrated. Raydium is a legitimate, multi-year-operating DeFi protocol — the largest AMM on Solana by volume — that suffered an external hack in December 2022 when a trojan virus compromised an admin private key on a virtual machine. The incident was caused by an outside attacker, not by protocol fraud or insider misconduct. Raydium responded within hours (multisig migration December 17), executed full LP compensation (claim portal January–May 2023), upgraded the AMM program to remove the vulnerable admin parameters, and maintained a live Immunefi bug bounty program that successfully caught a critical CLMM vulnerability in January 2024 with no funds lost. As of Q2 2025 the protocol holds $1.8B+ TVL and $51.9B quarterly volume. The current WARNING band (score 45) is inconsistent with the page's own text, which documents thorough remediation and continued legitimate operation. Under post-policy semantics, WARNING is reserved for entities with elevated fraud/loss risk or unresolved severe incidents; here the December 2022 incident is fully resolved with compensation paid and security architecture improved. The appropriate band is CAUTIONARY (50–69), acknowledging the historical hack, pseudonymous team structure, and a newly-emerged June 2026 legacy V3 exploit ($1.34M, covered by treasury) as material but non-fraudulent caveats. A score of 62 reflects legitimate operation with documented historical incidents that are substantially resolved.
   anchoranchored

   chain

   ●mainnet-betaslot 426,514,636

   sig

   21gnfgxbC6gM…xZLvnc2pcopyexplorer ↗

   hash

   AQYFBujkhH9G…bXGBef9rcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (1938 B) ▸

   {"actor":"reviewer","decided_at":"2026-06-14T23:16:06.214Z","decision":"review","investigation_id":"3bdbd8f5-9034-4441-abcc-78a0ea81e843","new_score":45,"page_slug":"raydium-amm","prev_score":45,"reason":"Blue-chip calibration review (Prompt A). Verdict: over-penalized. Page content is treated as accurate; the trust_score band is miscalibrated. Raydium is a legitimate, multi-year-operating DeFi protocol — the largest AMM on Solana by volume — that suffered an external hack in December 2022 when a trojan virus compromised an admin private key on a virtual machine. The incident was caused by an outside attacker, not by protocol fraud or insider misconduct. Raydium responded within hours (multisig migration December 17), executed full LP compensation (claim portal January–May 2023), upgraded the AMM program to remove the vulnerable admin parameters, and maintained a live Immunefi bug bounty program that successfully caught a critical CLMM vulnerability in January 2024 with no funds lost. As of Q2 2025 the protocol holds $1.8B+ TVL and $51.9B quarterly volume. The current WARNING band (score 45) is inconsistent with the page's own text, which documents thorough remediation and continued legitimate operation. Under post-policy semantics, WARNING is reserved for entities with elevated fraud/loss risk or unresolved severe incidents; here the December 2022 incident is fully resolved with compensation paid and security architecture improved. The appropriate band is CAUTIONARY (50–69), acknowledging the historical hack, pseudonymous team structure, and a newly-emerged June 2026 legacy V3 exploit ($1.34M, covered by treasury) as material but non-fraudulent caveats. A score of 62 reflects legitimate operation with documented historical incidents that are substantially resolved.","score_delta":0,"sequence_num":2,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 18efaaaf-3ab2-4406-b83a-8677efa3fde3copy
3. #3review approveby judgejudge

   2026-06-14 23:16:06Z
   Score: 45 → 62 (+17)
   This is a severity-calibration review, not a factual dispute review. All six claim findings (claim_findings[0]–[5]) are supported; disputed_pct is 0%. The reviewer (confidence 0.88) confirms Raydium is a legitimate, multi-year-operating DeFi protocol — the largest AMM on Solana — that suffered an external hack in December 2022 caused by third-party malware compromising an admin VM key, not by protocol fraud or insider misconduct. The protocol responded with a multisig migration the following day, executed full LP compensation through a DAO governance vote by May 2023, removed the vulnerable admin parameters from AMM V4, and has maintained an active Immunefi bug bounty program that caught a critical vulnerability in January 2024 with zero funds lost. The current WARNING band (score 45) is inconsistent with this documented remediation and continued legitimate operation at $1.8B+ TVL. A positive score delta of +17 is warranted to move the score to 62 (CAUTIONARY), which appropriately acknowledges the historical hack, pseudonymous team structure, and a recently-emerged legacy V3 exploit as material but resolved or non-fraudulent factors. The page content is accurate and must remain published.
   anchoranchored

   chain

   ●mainnet-betaslot 426,514,638

   sig

   GSbkVviyHq1B…yHyY7kEncopyexplorer ↗

   hash

   CHNyVEdU6SBr…vEHNBnfFcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (1560 B) ▸

   {"actor":"judge","decided_at":"2026-06-14T23:16:06.214Z","decision":"review_approve","investigation_id":"3bdbd8f5-9034-4441-abcc-78a0ea81e843","new_score":62,"page_slug":"raydium-amm","prev_score":45,"reason":"This is a severity-calibration review, not a factual dispute review. All six claim findings (claim_findings[0]–[5]) are supported; disputed_pct is 0%. The reviewer (confidence 0.88) confirms Raydium is a legitimate, multi-year-operating DeFi protocol — the largest AMM on Solana — that suffered an external hack in December 2022 caused by third-party malware compromising an admin VM key, not by protocol fraud or insider misconduct. The protocol responded with a multisig migration the following day, executed full LP compensation through a DAO governance vote by May 2023, removed the vulnerable admin parameters from AMM V4, and has maintained an active Immunefi bug bounty program that caught a critical vulnerability in January 2024 with zero funds lost. The current WARNING band (score 45) is inconsistent with this documented remediation and continued legitimate operation at $1.8B+ TVL. A positive score delta of +17 is warranted to move the score to 62 (CAUTIONARY), which appropriately acknowledges the historical hack, pseudonymous team structure, and a recently-emerged legacy V3 exploit as material but resolved or non-fraudulent factors. The page content is accurate and must remain published.","score_delta":17,"sequence_num":3,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 204468cf-c552-430d-a1ff-a50c15af548bcopy