Partial-drain test transactions

Raydium's assessment for RD-F-091 — scored not_assessed on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Cat 6A precursor signal (v1-deferred). Dec 2022 attack showed no partial-drain precursor — it was a single-session sweep using a compromised admin key calling withdraw_pnl across 9 pools. This function has been removed from the current AMM v4 program post-exploit upgrade (per Dec 17, 2022 program upgrade). Current admin drain now requires 3/4 Squads multisig approval + 24-hr timelock, making rapid partial-drain test sequences infeasible without multisig pre-authorization. No partial-drain test transactions observed on current AMM programs.

Sources #

URL
Raydium Detailed Post-Mortem and Next StepsRaydium post-mortem: withdraw_pnl instruction and SyncNeedTake parameter removed Dec 17 2022 via program upgraderetrieved 2026-04-29
URL
Raydium Hack Analysis — HackMDHack DB: single-session attack, no partial drain precursor observedretrieved 2026-04-29

Methodology #

Detect one or more small-value outflows prior to a larger drain that match a known pre-strike pattern (low-value same-function calls from new wallet).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol raydium factor RD-F-091 score not_assessed collected_at 2026-04-29 12:31:55