Verify a decision

{"actor":"system:backfill","investigation_id":"ef74b3d0-4fed-4f79-a9d6-19255b26afae","kind":"publish","page_slug":"raydium","published_at":"2026-06-01T17:49:01.750Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Raydium Protocol","sections":[{"content":"Raydium launched in February 2021 as the first automated market maker on Solana, integrating with the Serum central limit order book to route liquidity. As of Q3 2025, the protocol held approximately $2.5 billion in total value locked (TVL), representing a 35% quarter-over-quarter increase from $1.8 billion at the start of July 2025 and confirming its position as the largest liquidity hub on Solana. The protocol supports token swaps, liquidity provision, staking, and a memecoin launchpad (LaunchLab, launched April 2025). In Q1 2026, Raydium reported net revenue of $5.79 million. The RAY governance and fee-sharing token trades at approximately $0.72 USD as of mid-2026, with a market capitalization near $192 million.","heading":"Protocol Overview","severity":"low","sources":[{"credibility":2,"name":"Raydium Token Holder Report Q3 2025 — Blockworks","type":"news_article","url":"https://blockworks.com/news/raydium-token-holder-report"},{"credibility":2,"name":"Raydium TVL, Fees, Revenue & Volume — DefiLlama","type":"on_chain","url":"https://defillama.com/protocol/raydium"},{"credibility":2,"name":"Raydium Price Today — CoinGecko","type":"other","url":"https://www.coingecko.com/en/coins/raydium"}]},{"content":"On December 16, 2022, at approximately 10:12 UTC, an attacker gained unauthorized access to Raydium's privileged Pool Owner (Admin) account (address HggGrUeg4ReGvpPMLJMFKV69NTXL1r4wQ9Pk9Ljutwyv). Raydium's post-mortem states the compromise is suspected to have occurred via remote access to the virtual machine or internal server on which the key was deployed, with a trojan program identified as the likely vector. Using control of the admin key, the attacker invoked the withdrawPNL instruction after first manipulating pool state via SetParams with the AmmParams::SyncNeedTake parameter. This inflated the recorded fee balances (need_take_pc and need_take_coin) without any corresponding trading activity, allowing the attacker to repeatedly withdraw funds disguised as protocol fees across approximately 1,000 transactions. Eight constant product liquidity pools were affected; concentrated liquidity pools and the RAY staking program were not compromised. Total losses were confirmed by Raydium at approximately $4.4 million, spanning SOL, USDC, USDT, RAY, wSOL, stSOL, whETH, and other tokens. The RAY token price fell roughly 8% and total value locked dropped approximately 27% in the immediate aftermath.","heading":"December 2022 Admin Key Compromise and Exploit","severity":"critical","sources":[{"credibility":1,"name":"Raydium Detailed Post-Mortem and Next Steps — Raydium Medium","type":"official","url":"https://raydium.medium.com/detailed-post-mortem-and-next-steps-d6d6dd461c3e"},{"credibility":2,"name":"Raydium Protocol Exploit Incident Analysis — CertiK","type":"research","url":"https://www.certik.com/resources/blog/raydium-protocol-exploit-incident-analysis"},{"credibility":2,"name":"Raydium Protocol — Hacker Gains God Mode Access to Steal ~$4.4M — HackMD","type":"research","url":"https://hackmd.io/@prastut/BkbKKIll2"},{"credibility":3,"name":"Dec 2022 — Raydium Private Key Compromised — Quadriga Initiative","type":"community_report","url":"https://quadrigainitiative.com/casestudy/raydiumprivatekeycompromised.php"}]},{"content":"Following the exploit, the attacker bridged a significant portion of the stolen assets from Solana to Ethereum, converting them to ETH. On approximately January 19, 2023, roughly 1,774.5 ETH (valued at approximately $2.7 million at the time) was deposited into the Tornado Cash mixing service, substantially hindering on-chain traceability. Approximately 100,000 SOL (worth approximately $1.4 million) remained in the attacker's Solana address as of reporting. Raydium offered a 10% bounty in exchange for the return of funds, but no public record of the attacker responding to or accepting this offer has been identified.","heading":"Attacker Fund Movements","severity":"high","sources":[{"credibility":1,"name":"Raydium Hacker Funnels $2.7 Million Through Tornado Cash — The Block","type":"news_article","url":"https://www.theblock.co/post/203732/raydium-hacker-funnels-2-7-million-through-tornado-cash-mixer"},{"credibility":2,"name":"Raydium Attacker Moves $2.7 Million Stolen ETH to Tornado Cash — CryptoNews","type":"news_article","url":"https://cryptonews.net/news/security/19501485/"}]},{"content":"Within approximately four hours of the exploit beginning, at 14:16 UTC on December 16, 2022, Raydium deployed a hot patch that revoked the authority of the compromised admin account and transferred control to a new account held on a hardware wallet, preventing any further unauthorized pool withdrawals. On December 17, 2022, the team upgraded the AMM V4 program via multisig to remove the dangerous admin parameters that had been exploited, specifically the SyncNeedTake and SetLpSupply parameters. Raydium subsequently disclosed the attack on its public channels and provided a detailed post-mortem on its Medium account describing the technical mechanism.","heading":"Incident Response and Immediate Remediation","severity":"medium","sources":[{"credibility":1,"name":"Raydium Detailed Post-Mortem and Next Steps — Raydium Medium","type":"official","url":"https://raydium.medium.com/detailed-post-mortem-and-next-steps-d6d6dd461c3e"},{"credibility":2,"name":"Solana DEX Raydium Shares Next Steps After $4.4M Exploit — Unchained Crypto","type":"news_article","url":"https://unchainedcrypto.com/solana-dex-raydium-shares-next-steps-after-4-4m-exploit/"}]},{"content":"On December 21, 2022, Raydium developers published a forum post proposing victim compensation and solicited community input. The community voted in favor of the plan, and Raydium announced a two-phase distribution structure. Phase 1 targeted individual liquidity providers and opened via a Claim Portal on January 5, 2023. For RAY-USDC, RAY-SOL, and RAY-USDT pools, affected LPs received 100% of lost principal. For SOL-USDC, SOL-USDT, stSOL-USDC, and whETH-USDC pools, LPs received 90% of principal plus RAY tokens at a 1:1.2 ratio to cover the remaining 10%. Phase 2 addressed third-party protocols, including Francium and Tulip positions. The RAY token valuation used for compensation was set at the 30-day time-weighted average price (TWAP) from CoinMarketCap for December 6, 2022 to January 3, 2023, at $0.1813. Compensation funds were sourced from vested team-held RAY tokens. The Claim Portal was extended multiple times, with a final deadline of May 14, 2023.","heading":"Victim Compensation Plan","severity":"medium","sources":[{"credibility":1,"name":"Compensation Plan and Next Steps — Raydium Medium","type":"official","url":"https://raydium.medium.com/compensation-plan-and-next-steps-367246a62277"},{"credibility":1,"name":"Raydium Announces Details of Hack, Proposes Compensation for Victims — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/raydium-announces-details-of-hack-proposes-compensation-for-victims"},{"credibility":1,"name":"Claim Portal Archive — Raydium Docs","type":"official","url":"https://docs.raydium.io/raydium/updates/archive/claim-portal"},{"credibility":1,"name":"Transparency on Exploit Compensation Funds — Raydium Docs","type":"official","url":"https://docs.raydium.io/raydium/updates/archive/transparency-on-exploit-compensation-funds"}]},{"content":"Following the exploit, Raydium implemented a series of structural security upgrades. All program upgrade and admin authority was placed under a Squads multisig governance structure, requiring multiple signers for any privileged on-chain action. Raydium subsequently updated to Squads V4, adding a 24-hour timelock on program upgrades and enforcing additional safeguards including air-gapped machines, time-based one-time passwords (TOTP), physical security keys, and local transaction simulation before signing. The dangerous admin parameters exploited in the attack (SyncNeedTake, SetLpSupply) were removed from the AMM V4 program entirely. Third-party security audits were conducted by OtterSec across multiple programs in 2022–2023, including a December 2022 AMM V3 audit, a November 2022 AMM V4 audit, and a June 2022 staking program audit. Additional audits by Mad Shield were conducted in June 2023 and March 2024. A bug bounty program is also maintained.","heading":"Post-Exploit Security Improvements","severity":"low","sources":[{"credibility":1,"name":"Raydium Protocol Security — Raydium Docs","type":"official","url":"https://docs.raydium.io/raydium/protocol/security"},{"credibility":2,"name":"Raydium AMM V3 Audit — OtterSec","type":"research","url":"https://resources.cryptocompare.com/asset-management/223/1754648634232.pdf"},{"credibility":1,"name":"Bug Bounty Program — Raydium Docs","type":"official","url":"https://docs.raydium.io/raydium/protocol/bug-bounty-program"}]},{"content":"Raydium was founded by three pseudonymous individuals using the handles AlphaRay (strategy and operations), XRay (technology and infrastructure), and GammaRay (marketing and communications). None of the founders have disclosed their legal identities publicly. The founding team described having backgrounds in algorithmic and high-frequency trading in both traditional and cryptocurrency markets prior to launching the protocol. A pseudonymous or anonymous founding team is generally considered a risk signal in the context of protocol accountability, as it limits the ability to assign legal or reputational responsibility in the event of future incidents. Governance involves the RAY token and community forum discussions, with program upgrades subject to multisig approval.","heading":"Pseudonymous Team and Governance","severity":"medium","sources":[{"credibility":2,"name":"AlphaRay — IQ.wiki","type":"other","url":"https://iq.wiki/wiki/alpharay"},{"credibility":2,"name":"What Is Raydium (RAY)? — BeInCrypto","type":"news_article","url":"https://beincrypto.com/learn/raydium-ray/"},{"credibility":2,"name":"DeFi Project Spotlight: Raydium — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/defi-project-spotlight-raydium-solanas-top-automated-market-maker/"}]},{"content":"In March 2025, Pump.fun — previously a significant source of trading volume routed through Raydium — launched its own decentralized exchange, PumpSwap, in direct competition with Raydium. By the end of 2024, nearly half of Raydium's approximately $154 million in annual revenue was attributable to Pump.fun-generated activity. Raydium responded in April 2025 by launching LaunchLab, its own memecoin token launchpad designed to compete with Pump.fun's core business. LaunchLab generated $12.7 million in Q3 2025, rising to 53% of total protocol revenue. Raydium also restricts access from users in the United States, United Kingdom, and 18 other jurisdictions. The protocol's market share within Solana's DEX ecosystem has fluctuated amid intensifying competition, contracting from 23.5% to 10.5% within Q3 2025 as new entrants emerged.","heading":"Competitive Landscape and Ongoing Risks","severity":"medium","sources":[{"credibility":1,"name":"Pump.fun Launches Own DEX, Dropping Raydium — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/pump-fun-launches-own-dex-dropping-raydium"},{"credibility":2,"name":"Raydium's Share of Memecoin Volume Surges in Q1 but Pump.fun's DEX Poses Risk — Crypto.news","type":"news_article","url":"https://crypto.news/raydiums-share-of-memecoin-volume-surges-in-q1-but-pump-funs-dex-poses-risk/"},{"credibility":2,"name":"Raydium Token Holder Report Q3 2025 — Blockworks","type":"news_article","url":"https://blockworks.com/news/raydium-token-holder-report"}]}],"sources_used":[{"name":"Raydium Detailed Post-Mortem and Next Steps — Raydium Medium","type":"official","url":"https://raydium.medium.com/detailed-post-mortem-and-next-steps-d6d6dd461c3e"},{"name":"Compensation Plan and Next Steps — Raydium Medium","type":"official","url":"https://raydium.medium.com/compensation-plan-and-next-steps-367246a62277"},{"name":"Raydium Protocol Exploit Incident Analysis — CertiK","type":"research","url":"https://www.certik.com/resources/blog/raydium-protocol-exploit-incident-analysis"},{"name":"Raydium Hacker Funnels $2.7 Million Through Tornado Cash — The Block","type":"news_article","url":"https://www.theblock.co/post/203732/raydium-hacker-funnels-2-7-million-through-tornado-cash-mixer"},{"name":"Raydium Announces Details of Hack, Proposes Compensation for Victims — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/raydium-announces-details-of-hack-proposes-compensation-for-victims"},{"name":"Solana DEX Raydium Shares Next Steps After $4.4M Exploit — Unchained Crypto","type":"news_article","url":"https://unchainedcrypto.com/solana-dex-raydium-shares-next-steps-after-4-4m-exploit/"},{"name":"Raydium Protocol — Hacker Gains God Mode Access — HackMD","type":"research","url":"https://hackmd.io/@prastut/BkbKKIll2"},{"name":"Raydium Token Holder Report Q3 2025 — Blockworks","type":"news_article","url":"https://blockworks.com/news/raydium-token-holder-report"},{"name":"Pump.fun Launches Own DEX, Dropping Raydium — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/pump-fun-launches-own-dex-dropping-raydium"},{"name":"Raydium TVL, Fees, Revenue & Volume — DefiLlama","type":"on_chain","url":"https://defillama.com/protocol/raydium"},{"name":"Claim Portal Archive — Raydium Docs","type":"official","url":"https://docs.raydium.io/raydium/updates/archive/claim-portal"},{"name":"Transparency on Exploit Compensation Funds — Raydium Docs","type":"official","url":"https://docs.raydium.io/raydium/updates/archive/transparency-on-exploit-compensation-funds"},{"name":"Raydium Protocol Security — Raydium Docs","type":"official","url":"https://docs.raydium.io/raydium/protocol/security"},{"name":"AlphaRay — IQ.wiki","type":"other","url":"https://iq.wiki/wiki/alpharay"},{"name":"Raydium — CertiK Skynet Project Insight","type":"research","url":"https://skynet.certik.com/projects/raydium"},{"name":"Raydium Price Today — CoinGecko","type":"other","url":"https://www.coingecko.com/en/coins/raydium"},{"name":"Raydium Fires Back at Pump.fun With LaunchLab — DeFi Planet","type":"news_article","url":"https://defi-planet.com/2025/04/raydium-fires-back-at-pump-fun-with-launch-of-memecoin-protocol-launchlab/"}],"summary":"Raydium is an automated market maker (AMM) and decentralized exchange built on the Solana blockchain, launched in February 2021 and widely regarded as Solana's primary liquidity hub. On December 16, 2022, the protocol suffered a major security incident in which an attacker compromised an admin private key — suspected to be via a trojan on a team virtual machine — and drained approximately $4.4 million from eight constant product liquidity pools. Raydium responded with a patched program, a community-approved compensation plan funded by team-held RAY tokens, and has since migrated authority to a Squads multisig with hardware wallet and timelock protections.","timeline":[{"date":"2021-02-01","event":"Raydium Protocol launches on Solana as the first AMM integrated with the Serum order book.","source":"Raydium / BeInCrypto","source_url":"https://beincrypto.com/learn/raydium-ray/"},{"date":"2022-06-01","event":"OtterSec conducts a security audit of the Raydium staking program.","source":"OtterSec / Raydium Docs","source_url":"https://docs.raydium.io/raydium/protocol/security"},{"date":"2022-11-01","event":"OtterSec conducts a security audit of the Raydium AMM V4 program.","source":"OtterSec / Raydium Docs","source_url":"https://docs.raydium.io/raydium/protocol/security"},{"date":"2022-12-01","event":"OtterSec conducts a security audit of the Raydium AMM V3 (concentrated liquidity) program.","source":"OtterSec audit report","source_url":"https://resources.cryptocompare.com/asset-management/223/1754648634232.pdf"},{"date":"2022-12-16","event":"Admin key compromise: attacker uses trojan-obtained private key to drain approximately $4.4 million from eight constant product liquidity pools via the withdrawPNL instruction. RAY token drops ~8%; TVL falls ~27%.","source":"Raydium Post-Mortem (Medium)","source_url":"https://raydium.medium.com/detailed-post-mortem-and-next-steps-d6d6dd461c3e"},{"date":"2022-12-16","event":"Raydium deploys hot patch at 14:16 UTC, revoking compromised account authority and transferring control to a hardware wallet.","source":"Raydium Post-Mortem (Medium)","source_url":"https://raydium.medium.com/detailed-post-mortem-and-next-steps-d6d6dd461c3e"},{"date":"2022-12-17","event":"Raydium upgrades the AMM V4 program via multisig, removing the SyncNeedTake and SetLpSupply admin parameters that were exploited.","source":"Raydium Post-Mortem (Medium)","source_url":"https://raydium.medium.com/detailed-post-mortem-and-next-steps-d6d6dd461c3e"},{"date":"2022-12-21","event":"Raydium publishes community forum post proposing a compensation plan for affected liquidity providers, funded by team-held RAY tokens.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/raydium-announces-details-of-hack-proposes-compensation-for-victims"},{"date":"2022-12-30","event":"DAO proposal for victim compensation passes community vote.","source":"CertiK Incident Analysis","source_url":"https://www.certik.com/resources/blog/raydium-protocol-exploit-incident-analysis"},{"date":"2023-01-04","event":"Raydium announces final compensation plan details including phase structure and RAY TWAP valuation of $0.1813.","source":"Raydium Medium (Compensation Plan)","source_url":"https://raydium.medium.com/compensation-plan-and-next-steps-367246a62277"},{"date":"2023-01-05","event":"Phase 1 Claim Portal opens for individual LP positions.","source":"Raydium Docs — Claim Portal Archive","source_url":"https://docs.raydium.io/raydium/updates/archive/claim-portal"},{"date":"2023-01-19","event":"Attacker deposits approximately 1,774.5 ETH (~$2.7 million) into Tornado Cash mixer, obscuring on-chain traceability of stolen funds.","source":"The Block","source_url":"https://www.theblock.co/post/203732/raydium-hacker-funnels-2-7-million-through-tornado-cash-mixer"},{"date":"2023-05-14","event":"Raydium Claim Portal closes; unclaimed compensation funds return to the Raydium Treasury.","source":"Raydium Docs — Claim Portal Archive","source_url":"https://docs.raydium.io/raydium/updates/archive/claim-portal"},{"date":"2023-06-01","event":"Mad Shield conducts security audit of Raydium AMM program.","source":"Raydium Docs — Security","source_url":"https://docs.raydium.io/raydium/protocol/security"},{"date":"2024-03-01","event":"Mad Shield conducts security audit of Raydium Constant Product AMM program.","source":"Raydium Docs — Security","source_url":"https://docs.raydium.io/raydium/protocol/security"},{"date":"2025-03-01","event":"Pump.fun launches PumpSwap, a competing DEX on Solana, severing its routing relationship with Raydium and threatening a major share of Raydium's revenue.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/pump-fun-launches-own-dex-dropping-raydium"},{"date":"2025-04-01","event":"Raydium launches LaunchLab, a competing memecoin launchpad, in response to PumpSwap.","source":"DeFi Planet","source_url":"https://defi-planet.com/2025/04/raydium-fires-back-at-pump-fun-with-launch-of-memecoin-protocol-launchlab/"},{"date":"2025-09-30","event":"Raydium reports $2.5 billion TVL at end of Q3 2025, up 35% quarter-over-quarter. LaunchLab accounts for 53% of total revenue at $12.7 million for the quarter.","source":"Blockworks — Raydium Token Holder Report Q3 2025","source_url":"https://blockworks.com/news/raydium-token-holder-report"}]},"v":1}