Verify a decision

{"actor":"system:backfill","investigation_id":"3bdbd8f5-9034-4441-abcc-78a0ea81e843","kind":"publish","page_slug":"raydium-amm","published_at":"2026-05-28T16:29:16.942Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Raydium AMM","sections":[{"content":"On December 16, 2022 at approximately 10:12 UTC, a malicious actor gained control of the Raydium Pool Owner (Admin) account and exploited eight constant product liquidity pools in the V4 AMM program. The attacker used two mechanisms: first, abusing the withdrawPNL instruction to drain accumulated protocol fees directly from pool vaults; second, using the SetParams instruction with AmmParams::SyncNeedTake to artificially inflate need_take_pc and need_take_coin balances without corresponding trading volume, then repeatedly withdrawing those inflated figures as fees. The primary exploiter wallet was AgJddDJLt17nHyXDCpyGELxwsZZQPqfUsuwzoiqVGJwD; the funding source was 5ndLnEYqSFiA5yUFHo6LVZ1eWc6Rhh11K5CfJNkoHEPs, later identified as a FixedFloat exchange wallet. Raydium's team attributed the private key compromise to a trojan program infecting the virtual machine on which the Pool Owner account was deployed, though no definitive forensic proof was published. Concentrated liquidity (CLMM) pools and the RAY staking program were not affected. At 14:16 UTC on the same day, Raydium deployed a patch revoking the compromised account's authority and updated smart contract ownership to a hardware wallet. On December 17, 2022, further updates removed the exploited admin parameters from the AMM V4 program and transferred remaining admin functions to a Squads multisig. CoinDesk reported that ZachXBT tracked the attacker bridging approximately $2 million of the stolen assets to Ethereum in real time during the incident.","heading":"December 2022 Admin Key Exploit","severity":"critical","sources":[{"credibility":1,"name":"Raydium Detailed Post-Mortem and Next Steps (Official Medium)","type":"official","url":"https://raydium.medium.com/detailed-post-mortem-and-next-steps-d6d6dd461c3e"},{"credibility":2,"name":"CertiK — Raydium Protocol Exploit Incident Analysis","type":"research","url":"https://www.certik.com/resources/blog/raydium-protocol-exploit-incident-analysis"},{"credibility":2,"name":"Raydium Protocol — hacker gains god mode access (HackMD writeup)","type":"community_report","url":"https://hackmd.io/@prastut/BkbKKIll2"},{"credibility":2,"name":"QuadrigaInitiative case study — Raydium Private Key Compromised","type":"research","url":"https://quadrigainitiative.com/casestudy/raydiumprivatekeycompromised.php"}]},{"content":"On January 19, 2023, the wallet tagged as 'Raydium Exploiter' (0xb98acc055e331a709a765569eb6854bb2f0c8282 on Ethereum) deposited a total of 1,774.5 ETH (approximately $2.7 million at the time) into Tornado Cash across 42 separate transactions. Tornado Cash had been placed on the U.S. Treasury Office of Foreign Assets Control (OFAC) sanctions list in November 2022, due to its alleged use by state-affiliated threat actors including North Korea-linked Lazarus Group. The deposit of exploit proceeds into a sanctioned protocol rendered recovery of those specific funds effectively impossible and raised questions about the identity and jurisdiction of the attacker. CoinDesk reported the transfers, confirming the wallet address via Etherscan transaction logs. No funds were ultimately returned to Raydium or affected users from this portion of the stolen assets.","heading":"Stolen Funds Laundered via Tornado Cash","severity":"critical","sources":[{"credibility":1,"name":"CoinDesk — Raydium Exchange Exploiter Sends $2.7M to Tornado Cash","type":"news_article","url":"https://www.coindesk.com/business/2023/01/19/raydium-exchange-exploiter-sends-27m-to-tornado-cash/"},{"credibility":2,"name":"CoinTelegraph — Raydium exploiter moves $2.7M to crypto mixer Tornado Cash","type":"news_article","url":"https://cointelegraph.com/news/raydium-exploiter-moves-2-7m-to-crypto-mixer-tornado-cash"},{"credibility":2,"name":"CryptoSlate — Raydium exploiter moves $2.7M to Tornado Cash","type":"news_article","url":"https://cryptoslate.com/raydium-exploiter-moves-2-7m-to-tornado-cash/"}]},{"content":"The December 2022 exploit exposed a fundamental centralization risk in Raydium's original architecture: a single Pool Owner account held authority to withdraw liquidity from multiple pools without requiring any multi-party authorization. Critics, including on-chain security analysts, noted at the time of the attack that the absence of a multisignature requirement for such privileged operations represented a significant design vulnerability. CertiK's post-mortem stated explicitly that 'one wallet was able to withdraw liquidity from multiple pools,' and characterized the incident as a consequence of protocols that 'are not fully decentralized' requiring accounts with access to 'critical network controls.' The team had originally deployed the admin key on an internal virtual machine rather than in hardware-secured cold storage with access controls. In the immediate aftermath, Raydium migrated admin authority to a hardware wallet (December 16) and then to a Squads multisig (December 17). As of 2025, Raydium updated program admin authority to Squads V4 with a 24-hour timelock.","heading":"Centralization Risk and Admin Key Architecture","severity":"high","sources":[{"credibility":2,"name":"CertiK — Raydium Protocol Exploit Incident Analysis","type":"research","url":"https://www.certik.com/resources/blog/raydium-protocol-exploit-incident-analysis"},{"credibility":1,"name":"Raydium Detailed Post-Mortem and Next Steps (Official Medium)","type":"official","url":"https://raydium.medium.com/detailed-post-mortem-and-next-steps-d6d6dd461c3e"},{"credibility":1,"name":"Raydium Security Docs","type":"official","url":"https://docs.raydium.io/raydium/protocol/security"}]},{"content":"Following a community governance vote that passed on December 30, 2022 with 5,598,814 approvals, Raydium implemented a phased compensation plan for affected liquidity providers. Pools containing RAY (RAY-USDC, RAY-SOL, RAY-USDT) were eligible for 100% principal recovery; six other pools (SOL-USDC, SOL-USDT, stSOL-USDC, whETH-USDC, and others) received 90% recovery in native assets plus the remaining 10% covered in RAY tokens at a 1:1.2 ratio (providing $1.20 in RAY per $1 of unrecovered loss). RAY pricing for compensation was calculated using a 30-day TWAP of $0.1813 (December 6, 2022 through January 3, 2023). Team-vested RAY tokens were used to fund the RAY-denominated portions of compensation. The claim portal opened January 5, 2023 and was extended through May 14, 2023 to accommodate third-party integrations including Francium and Tulip leveraged vault positions. The compensation plan did not achieve 100% recovery for all affected pools, and the non-RAY pool shortfall of 10% of principal was partially offset with bonus RAY rather than stablecoins.","heading":"User Compensation Program","severity":"medium","sources":[{"credibility":1,"name":"Raydium — Compensation Plan and Next Steps (Official Medium)","type":"official","url":"https://raydium.medium.com/compensation-plan-and-next-steps-367246a62277"},{"credibility":1,"name":"Raydium Docs — Claim Portal Archive","type":"official","url":"https://docs.raydium.io/raydium/updates/archive/claim-portal"},{"credibility":2,"name":"CoinTelegraph — Raydium announces details of hack, proposes compensation","type":"news_article","url":"https://cointelegraph.com/news/raydium-announces-details-of-hack-proposes-compensation-for-victims"}]},{"content":"On January 10, 2024, a whitehat researcher identified as @riproprip reported a critical vulnerability in Raydium's CLMM (concentrated liquidity) program via Immunefi. The vulnerability existed in the increase_liquidity.rs function and involved improper validation of the tickarray_bitmap_extension account. An attacker exploiting this flaw could have manipulated liquidity at arbitrary price points by flipping tick statuses, potentially enabling unauthorized liquidity drains from CLMM pools. Raydium patched the vulnerability promptly. The whitehat was awarded a $505,000 bounty in RAY tokens, the maximum payout under Raydium's Immunefi program. No funds were lost as a result of this vulnerability.","heading":"January 2024 CLMM Tick Manipulation Vulnerability","severity":"high","sources":[{"credibility":2,"name":"Immunefi — Raydium Tick Manipulation Bugfix Review","type":"research","url":"https://immunefi.com/blog/bug-fix-reviews/raydium-tick-manipulation-bugfix-review/"},{"credibility":2,"name":"Immunefi Medium — Raydium Tick Manipulation Bugfix Review","type":"research","url":"https://medium.com/immunefi/raydium-tick-manipulation-bugfix-review-c6aae4527ed6"}]},{"content":"Raydium was founded by a pseudonymous team using the pseudonyms AlphaRay (strategy), XRay (technology), and GammaRay (marketing), with additional core contributors known as StingRay and RayZor. The team has stated publicly that they come from an algorithmic trading background in commodities, transitioning to crypto market-making around 2017, but no real identities have been publicly confirmed. The use of fully anonymous founding teams is a recognized risk factor in the DeFi space, as it limits accountability in the event of negligent key management, rug pulls, or regulatory action. In Raydium's case, the anonymity of the team meant that the December 2022 exploit investigation could not involve external identity verification of responsible parties. Governance over protocol parameters is conducted through RAY token holder votes and, since December 2022, through the Squads multisig for smart contract upgrades.","heading":"Team Anonymity and Governance","severity":"medium","sources":[{"credibility":2,"name":"BeinCrypto — What Is Raydium (RAY)?","type":"news_article","url":"https://beincrypto.com/learn/raydium-ray/"},{"credibility":3,"name":"IQ.wiki — AlphaRay","type":"other","url":"https://iq.wiki/wiki/alpharay"},{"credibility":2,"name":"TokenInsight — Raydium Team and Founder","type":"research","url":"https://tokeninsight.com/en/coins/raydium/team"}]},{"content":"Following the December 2022 exploit, Raydium undertook a series of documented security upgrades. The AMM V4 program was patched to remove the five admin parameters that had been exploited, including the SetParams and withdrawPNL vectors. OtterSec conducted audits of the updated AMM, the CLMM program, and the staking program in late 2022 and early 2023. MadShield audited the OpenBook integration (Q2 2023) and the CPMM (constant product market maker) in Q1 2024. A bug bounty program via Immunefi offers up to $505,000 for critical findings. As of 2025–2026, Raydium remains one of the largest DEX protocols on Solana by TVL (reported at approximately $1–2.5 billion depending on timeframe) and daily trading volume. Coinbase discontinued RAY perpetual futures in April 2026 as part of a broader 25-product review, though spot trading of RAY continued. The protocol's program admin authority has been migrated to Squads V4 with a 24-hour timelock as an additional safeguard against single-key compromise.","heading":"Security Improvements and Current Status","severity":"low","sources":[{"credibility":1,"name":"Raydium Security Docs","type":"official","url":"https://docs.raydium.io/raydium/protocol/security"},{"credibility":1,"name":"Raydium Bug Bounty — Immunefi","type":"official","url":"https://immunefi.com/bug-bounty/raydium/"},{"credibility":2,"name":"AMBCrypto — What is Raydium and is It Safe to Use in 2025?","type":"news_article","url":"https://ambcrypto.com/blog/what-is-raydium-and-is-it-safe-to-use-in-2025/"},{"credibility":2,"name":"DeFiLlama — Raydium TVL","type":"on_chain","url":"https://defillama.com/protocol/raydium"}]}],"sources_used":[{"credibility":1,"name":"Raydium Official Post-Mortem (Medium)","type":"official","url":"https://raydium.medium.com/detailed-post-mortem-and-next-steps-d6d6dd461c3e"},{"credibility":1,"name":"CoinDesk — Raydium Exploiter Sends $2.7M to Tornado Cash","type":"news_article","url":"https://www.coindesk.com/business/2023/01/19/raydium-exchange-exploiter-sends-27m-to-tornado-cash/"},{"credibility":2,"name":"CertiK — Raydium Protocol Exploit Incident Analysis","type":"research","url":"https://www.certik.com/resources/blog/raydium-protocol-exploit-incident-analysis"},{"credibility":2,"name":"CoinTelegraph — Raydium announces details of hack, proposes compensation","type":"news_article","url":"https://cointelegraph.com/news/raydium-announces-details-of-hack-proposes-compensation-for-victims"},{"credibility":1,"name":"Raydium Compensation Plan (Medium)","type":"official","url":"https://raydium.medium.com/compensation-plan-and-next-steps-367246a62277"},{"credibility":1,"name":"Raydium Docs — Security","type":"official","url":"https://docs.raydium.io/raydium/protocol/security"},{"credibility":1,"name":"Raydium Docs — Claim Portal Archive","type":"official","url":"https://docs.raydium.io/raydium/updates/archive/claim-portal"},{"credibility":2,"name":"Immunefi — Raydium Tick Manipulation Bugfix Review","type":"research","url":"https://immunefi.com/blog/bug-fix-reviews/raydium-tick-manipulation-bugfix-review/"},{"credibility":2,"name":"DeFiLlama — Raydium TVL","type":"on_chain","url":"https://defillama.com/protocol/raydium"},{"credibility":1,"name":"Immunefi — Raydium Bug Bounty","type":"official","url":"https://immunefi.com/bug-bounty/raydium/"},{"credibility":2,"name":"HackMD — Raydium Protocol exploit writeup","type":"community_report","url":"https://hackmd.io/@prastut/BkbKKIll2"},{"credibility":2,"name":"CryptoSlate — Raydium exploiter moves $2.7M to Tornado Cash","type":"news_article","url":"https://cryptoslate.com/raydium-exploiter-moves-2-7m-to-tornado-cash/"},{"credibility":2,"name":"BeinCrypto — What Is Raydium (RAY)?","type":"news_article","url":"https://beincrypto.com/learn/raydium-ray/"},{"credibility":2,"name":"QuadrigaInitiative — Raydium Private Key Compromised Case Study","type":"research","url":"https://quadrigainitiative.com/casestudy/raydiumprivatekeycompromised.php"}],"summary":"Raydium is a leading Solana-based automated market maker (AMM) and decentralized exchange (DEX) launched in February 2021 by a pseudonymous team. On December 16, 2022, a compromise of the protocol's admin private key enabled an attacker to drain approximately $4.4 million from eight liquidity pools; the stolen funds were subsequently laundered through Tornado Cash in January 2023. The team implemented a phased compensation plan and post-incident security upgrades, including migration of admin authority to a Squads multisig, but the incident exposed significant centralization risks that were not apparent prior to the exploit.","timeline":[{"date":"2021-02-01","event":"Raydium AMM launched on Solana mainnet by pseudonymous founding team (AlphaRay, XRay, GammaRay).","source":"BeinCrypto","source_url":"https://beincrypto.com/learn/raydium-ray/"},{"date":"2022-12-16","event":"Admin private key compromised, likely via trojan malware. Attacker drains ~$4.4M from eight AMM V4 liquidity pools using withdrawPNL and SetParams exploits. Patch deployed at 14:16 UTC same day.","source":"Raydium Official Post-Mortem","source_url":"https://raydium.medium.com/detailed-post-mortem-and-next-steps-d6d6dd461c3e"},{"date":"2022-12-17","event":"Raydium removes exploited admin parameters from AMM V4 program and transfers remaining admin authority to Squads multisig.","source":"Raydium Official Post-Mortem","source_url":"https://raydium.medium.com/detailed-post-mortem-and-next-steps-d6d6dd461c3e"},{"date":"2022-12-30","event":"DAO governance vote passes (5,598,814 approvals) authorizing compensation plan using DAO treasury and team-vested RAY tokens.","source":"CertiK Exploit Analysis","source_url":"https://www.certik.com/resources/blog/raydium-protocol-exploit-incident-analysis"},{"date":"2023-01-05","event":"Compensation claim portal opens for Phase 1 affected liquidity providers.","source":"Raydium Compensation Plan","source_url":"https://raydium.medium.com/compensation-plan-and-next-steps-367246a62277"},{"date":"2023-01-19","event":"Raydium exploiter deposits 1,774.5 ETH (~$2.7M) into sanctioned mixer Tornado Cash across 42 transactions, effectively laundering the stolen funds.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2023/01/19/raydium-exchange-exploiter-sends-27m-to-tornado-cash/"},{"date":"2023-05-14","event":"Final extension of compensation claim portal closes. Compensation process concluded.","source":"Raydium Docs — Claim Portal","source_url":"https://docs.raydium.io/raydium/updates/archive/claim-portal"},{"date":"2024-01-10","event":"Whitehat @riproprip discloses critical tick manipulation vulnerability in Raydium CLMM via Immunefi. No funds lost. $505,000 RAY bounty awarded.","source":"Immunefi Bugfix Review","source_url":"https://immunefi.com/blog/bug-fix-reviews/raydium-tick-manipulation-bugfix-review/"},{"date":"2026-04-21","event":"Coinbase discontinues RAY perpetual futures contracts as part of a 25-product review; RAY spot trading unaffected.","source":"CoinMarketCap Latest Updates","source_url":"https://coinmarketcap.com/cmc-ai/raydium/latest-updates/"}]},"v":1}