The next DeFi drain could come from legacy contracts everyone forgot
The Raydium AMM V3 exploit drained roughly $1.34 million from a phased-out program tied to 5 swimming pools outdoors the present product path, unsupported by Raydium’s UI or SDK, and inaccessible to present customers.
The exploit hit legacy DeFi contracts and infrastructure that no one handled as a dwell assault floor, exposing a lifecycle-management failure that extends nicely past one Solana decentralized alternate.
The class no one is counting
Public exploit studies have discovered not less than eight clear instances since March 2025 through which deprecated, out of date, or legacy DeFi contracts turned the assault floor, totaling roughly $10.8 million in losses.
Extending the definition to incorporate broader legacy-vault and legacy-product failures lifts the depend to about ten incidents and $22.5 million, together with Raydium.
Exploit trackers classify incidents by technical mechanisms, similar to good contract bugs, entry management failures, oracle manipulations, non-public key compromises, and bridge flaws.
Zombie contracts, or legacy DeFi contracts nonetheless callable after retirement, belong to a unique axis fully: a lifecycle state that constantly vanishes inside broader exploit labels.
| Exploit label databases normally use | What it captures | What it misses |
|---|---|---|
| Smart contract bug | The code flaw that allow funds transfer | Whether the contract was deprecated, out of date, or outdoors the energetic product |
| Access management failure | Missing or damaged permission checks | Whether the affected deployment ought to nonetheless have been callable |
| Business logic flaw | Broken assumptions inside protocol logic | Whether the logic belonged to previous infrastructure not supported by the UI/SDK |
| Oracle/accounting concern | Incorrect pricing, balances, or shares | Whether the vault or pool was a legacy product |
| Zombie-contract / lifecycle danger | Deprecated infrastructure nonetheless dwell on-chain | The lacking class: contracts that have been “retired” in product phrases however not decommissioned technically |
Raydium’s AMM V3 swimming pools have been deprecated after Serum’s personal deprecation rendered them inert. The legacy program was constructed to put orders on the Serum order e book, and as soon as Serum wound down, it misplaced its solely operate and left related liquidity idle.
Raydium’s present applications use a digital provide mechanism for proportion checks and confirm LP mint addresses together with all different related account data.
The legacy program skipped each checks, letting an attacker create a brand new mint, current it because the LP token, and bypass proportion controls fully.
Roughly 150,177 RAY, 5,603 SOL, and 893,700 USDC had been sitting in swimming pools outdoors the present product however stayed callable on-chain.
One sample for eight incidents
In March 2025, 1inch misplaced roughly $5 million when an out of date Fusion v1 resolver contract implementation was exploited.
In October 2025, Abracadabra lost $1.8 million attributable to deprecated Cauldron V4 contracts that remained energetic and exploitable due to a logic flaw. In December 2025, Yearn’s legacy iEarn TUSD vault was drained of roughly $300,000, whereas Yearn’s present v2 and v3 vaults remained clear.
Things escalated in May: SlowMist reported Transit Finance losing $1.88 million via a deprecated 2022-era TRON contract, and Huma Finance misplaced roughly $101,000 via deprecated V1 BaseCreditPool contracts on Polygon.
Renegade misplaced approximately $209,000 attributable to a legacy V1 Arbitrum deployment uncovered by an unprotected initializer and a migration concern, with white-hat restoration decreasing the web impression.
Scallop misplaced roughly $140,000 attributable to a deprecated rewards contract, leaving the core lending infrastructure clear.
Every protocol made the identical declare that present customers have been secure and present applications intact, and each protocol nonetheless paid out from the treasury, as a result of the previous infrastructure had stayed callable lengthy after it left the energetic product path.
| Protocol | Date | Legacy floor exploited | Approx. loss | Why it suits the sample |
|---|---|---|---|---|
| 1inch | Mar. 2025 | Obsolete Fusion v1 resolver implementation | ~$5.0M | Old resolver logic remained related sufficient to take advantage of after the protocol had moved on. |
| Abracadabra | Oct. 2025 | Deprecated Cauldron V4 contracts | ~$1.8M | Deprecated contracts remained energetic and exploitable via a logic flaw. |
| Yearn | Dec. 2025 | Legacy iEarn TUSD vault | ~$0.3M | Legacy vault was drained whereas present Yearn vaults remained unaffected. |
| Transit Finance | May 2026 | Deprecated 2022-era TRON contract | ~$1.88M | Old contract floor stayed dwell after deprecation and have become the assault path. |
| Huma Finance | May 2026 | Deprecated V1 BaseCreditPool contracts on Polygon | ~$0.101M | Retired structure nonetheless held exploitable worth outdoors the present system. |
| Renegade | May 2026 | Legacy V1 Arbitrum deployment | ~$0.209M | Migration and initializer points uncovered an previous deployment. |
| Scallop | 2026 | Deprecated rewards-side contract | ~$0.14M | Core lending infrastructure stayed clear, however previous rewards infrastructure was exploitable. |
| Raydium | 2026 | Legacy AMM V3 swimming pools | ~$1.34M | Current UI/SDK and customers have been unaffected, however previous swimming pools remained callable on-chain. |
Why databases lose this
Most exploit classifications give attention to how the attacker received in, what they manipulated, and which code failed, a mechanism-first lens that obscures zombie contract exploits, the place the core failure is that the infrastructure was imagined to be retired.
Transit’s deprecated TRON contract was an previous protocol floor that no one decommissioned. Scallop’s deprecated rewards contract was an accounting flaw in infrastructure that the workforce had moved previous. Huma’s V1 BaseCreditPool was retired structure nonetheless holding property on a series the protocol had migrated away from.
A 2025 SoK paper analyzing 50 extreme real-world exploits from 2022 to 2025, totaling over $1 billion in losses, argued that high-impact incidents incessantly contain exploit chains spanning human, operational, financial, lifecycle, and governance layers.
The authors proposed a four-tier root-cause framework that treats lifecycle and governance failures as a definite class alongside implementation errors. Zombie contracts match that framework: lifecycle failures that exploit databases are absorbed into implementation-bug counts, preserving the cumulative greenback determine buried inside unrelated classes.
The fork within the graveyard
If protocols proceed to deal with decommissioning as an afterthought, deprecating contracts in product documentation with out draining, pausing, or monitoring them, attackers will hold scanning the graveyard.
Every main protocol’s deployment historical past turns into a searchable assault floor. The $22.5 million present estimate is a ground, based mostly on incidents that made it into public reporting with ample element to categorise.
Legacy vaults, forgotten approval surfaces, and previous integrations that also maintain property however sit outdoors energetic consumer flows obtain far much less monitoring than dwell infrastructure, which is what attackers scan for.
If the class will get named and counted, if decommissioning checklists turn into normal apply alongside audits, the assault floor shrinks via upkeep.
Raydium’s treasury absorbs the $1.3 million exploit, Transit’s workforce promised compensation, and Huma lined its losses.
That makes DeFi contract decommissioning a safety management moderately than a documentation activity.
| Decommissioning management | What it means | Why it issues |
|---|---|---|
| Drain idle property | Remove funds from retired swimming pools, vaults, and reward contracts. | Eliminates the monetary incentive for attackers to scan deserted infrastructure. |
| Pause callable capabilities | Disable swaps, withdrawals, reward claims, or admin capabilities the place attainable. | Turns “deprecated” into an precise safety state moderately than a product label. |
| Verify LP mints, approvals, and permissions | Review previous mint checks, approvals, authorities, and account assumptions. | Prevents attackers from exploiting stale validation logic or forgotten permissions. |
| Monitor legacy deployments | Keep alerts energetic for previous contracts, swimming pools, and chain deployments. | Prevents deserted infrastructure from changing into invisible to the workforce however seen to attackers. |
| Keep legacy code in bug-bounty scope | Include retired or deprecated infrastructure in safety applications. | Gives white hats a cause to report points earlier than attackers exploit them. |
| Publish retirement standing | Clearly establish whether or not previous merchandise are drained, paused, monitored, or unsupported. | Helps customers, integrators, and analysts distinguish “not within the UI” from “not dangerous.” |
| Define treasury legal responsibility | State whether or not the protocol will compensate losses from retired infrastructure. | Makes clear whether or not previous code stays an implicit declare on the protocol treasury. |
Deprecating a contract transfers the safety legal responsibility to the treasury whereas leaving the assault floor intact. Retiring infrastructure with out decommissioning it retains it dwell, with the workforce’s consideration diverted and the attacker’s incentive intact.
In addition to complete worth locked, DeFi protocols accumulate historical past, and historical past might be exploited.
The put up The next DeFi drain could come from legacy contracts everyone forgot appeared first on CryptoSlate.
