Raydium's retired liquidity pools.
On June 10, an attacker drained about $1.34 million from five Raydium pools on Solana that had sat inactive since 2021. Raydium's app no longer touches them, but the old contracts were still live on-chain.
A liquidity pool holds two assets people trade against. To withdraw your share, you hand back an LP token, a receipt for what you deposited. The retired code checked the receipt's supply but never checked the receipt was real. The attacker minted a fake one and drained the pools.
Code does not retire when a team stops using it. A contract nobody maintains is still one anyone can call, and the assumptions that held in 2021 were never revisited.
Source: https://cryptonews.com/news/raydium-exploit-fake-lp-tokens-deprecated-solana-pools/
Related
SciPHR