rewrite this title The next DeFi drain could come from legacy contracts everyone forgot

The Raydium AMM V3 exploit drained roughly $1.34 million from a phased-out program tied to five pools outside the current product path, unsupported by Raydium’s UI or SDK, and inaccessible to current users.

The exploit hit legacy DeFi contracts and infrastructure that nobody treated as a live attack surface, exposing a lifecycle-management failure that extends well beyond one Solana decentralized exchange.

The category nobody is counting

Public exploit reports have found at least eight clear cases since March 2025 in which deprecated, obsolete, or legacy DeFi contracts became the attack surface, totaling roughly $10.8 million in losses.

Extending the definition to include broader legacy-vault and legacy-product failures lifts the count to about ten incidents and $22.5 million, including Raydium.

Exploit trackers classify incidents by technical mechanisms, such as smart contract bugs, access control failures, oracle manipulations, private key compromises, and bridge flaws.

Zombie contracts, or legacy DeFi contracts still callable after retirement, belong to a different axis entirely: a lifecycle state that consistently vanishes inside broader exploit labels.

Exploit label databases usually useWhat it capturesWhat it missesSmart contract bugThe code flaw that let funds moveWhether the contract was deprecated, obsolete, or outside the active productAccess control failureMissing or broken permission checksWhether the affected deployment should still have been callableBusiness logic flawBroken assumptions inside protocol logicWhether the logic belonged to old infrastructure no longer supported by the UI/SDKOracle/accounting issueIncorrect pricing, balances, or sharesWhether the vault or pool was a legacy productZombie-contract / lifecycle riskDeprecated infrastructure still live on-chainThe missing category: contracts that were “retired” in product terms but not decommissioned technically

Raydium’s AMM V3 pools were deprecated after Serum’s own deprecation rendered them inert. The legacy program was built to place orders on the Serum order book, and once Serum wound down, it lost its only function and left associated liquidity idle.

Raydium’s current programs use a virtual supply mechanism for proportion checks and verify LP mint addresses along with all other relevant account information.

The legacy program skipped both checks, letting an attacker create a new mint, present it as the LP token, and bypass proportion controls entirely.

Roughly 150,177 RAY, 5,603 SOL, and 893,700 USDC had been sitting in pools outside the current product but stayed callable on-chain.

One pattern for eight incidents

In March 2025, 1inch lost roughly $5 million when an obsolete Fusion v1 resolver contract implementation was exploited.

In October 2025, Abracadabra lost $1.8 million due to deprecated Cauldron V4 contracts that remained active and exploitable because of a logic flaw. In December 2025, Yearn’s legacy iEarn TUSD vault was drained of roughly $300,000, while Yearn’s current v2 and v3 vaults remained clean.

Things escalated in May: SlowMist reported Transit Finance losing $1.88 million through a deprecated 2022-era TRON contract, and Huma Finance lost roughly $101,000 through deprecated V1 BaseCreditPool contracts on Polygon.

Renegade lost approximately $209,000 due to a legacy V1 Arbitrum deployment exposed by an unprotected initializer and a migration issue, with white-hat recovery reducing the net impact.

Scallop lost roughly $140,000 due to a deprecated rewards contract, leaving the core lending infrastructure clean.

Every protocol made the same claim that current users were safe and current programs intact, and every protocol still paid out from the treasury, because the old infrastructure had stayed callable long after it left the active product path.

ProtocolDateLegacy surface exploitedApprox. lossWhy it fits the pattern1inchMar. 2025Obsolete Fusion v1 resolver implementation~$5.0MOld resolver logic remained relevant enough to exploit after the protocol had moved on.AbracadabraOct. 2025Deprecated Cauldron V4 contracts~$1.8MDeprecated contracts remained active and exploitable through a logic flaw.YearnDec. 2025Legacy iEarn TUSD vault~$0.3MLegacy vault was drained while current Yearn vaults remained unaffected.Transit FinanceMay 2026Deprecated 2022-era TRON contract~$1.88MOld contract surface stayed live after deprecation and became the attack path.Huma FinanceMay 2026Deprecated V1 BaseCreditPool contracts on Polygon~$0.101MRetired architecture still held exploitable value outside the current system.RenegadeMay 2026Legacy V1 Arbitrum deployment~$0.209MMigration and initializer issues exposed an old deployment.Scallop2026Deprecated rewards-side contract~$0.14MCore lending infrastructure stayed clean, but old rewards infrastructure was exploitable.Raydium2026Legacy AMM V3 pools~$1.34MCurrent UI/SDK and users were unaffected, but old pools remained callable on-chain.

Why databases lose this

Most exploit classifications focus on how the attacker got in, what they manipulated, and which code failed, a mechanism-first lens that obscures zombie contract exploits, where the core failure is that the infrastructure was supposed to be retired.

Transit’s deprecated TRON contract was an old protocol surface that nobody decommissioned. Scallop’s deprecated rewards contract was an accounting flaw in infrastructure that the team had moved past. Huma’s V1 BaseCreditPool was retired architecture still holding assets on a chain the protocol had migrated away from.

A 2025 SoK paper analyzing 50 severe real-world exploits from 2022 to 2025, totaling over $1 billion in losses, argued that high-impact incidents frequently involve exploit chains spanning human, operational, economic, lifecycle, and governance layers.

The authors proposed a four-tier root-cause framework that treats lifecycle and governance failures as a distinct category alongside implementation errors. Zombie contracts fit that framework: lifecycle failures that exploit databases are absorbed into implementation-bug counts, keeping the cumulative dollar figure buried inside unrelated categories.

The fork in the graveyard

If protocols continue to treat decommissioning as an afterthought, deprecating contracts in product documentation without draining, pausing, or monitoring them, attackers will keep scanning the graveyard.

Every major protocol’s deployment history becomes a searchable attack surface. The $22.5 million current estimate is a floor, based on incidents that made it into public reporting with sufficient detail to classify.

Legacy vaults, forgotten approval surfaces, and old integrations that still hold assets but sit outside active user flows receive far less monitoring than live infrastructure, which is what attackers scan for.

If the category gets named and counted, if decommissioning checklists become standard practice alongside audits, the attack surface shrinks through maintenance.

Raydium’s treasury absorbs the $1.3 million exploit, Transit’s team promised compensation, and Huma covered its losses.

That makes DeFi contract decommissioning a security control rather than a documentation task.

Decommissioning controlWhat it meansWhy it mattersDrain idle assetsRemove funds from retired pools, vaults, and reward contracts.Eliminates the financial incentive for attackers to scan abandoned infrastructure.Pause callable functionsDisable swaps, withdrawals, reward claims, or admin functions where possible.Turns “deprecated” into an actual security state rather than a product label.Verify LP mints, approvals, and permissionsReview old mint checks, approvals, authorities, and account assumptions.Prevents attackers from exploiting stale validation logic or forgotten permissions.Monitor legacy deploymentsKeep alerts active for old contracts, pools, and chain deployments.Prevents abandoned infrastructure from becoming invisible to the team but visible to attackers.Keep legacy code in bug-bounty scopeInclude retired or deprecated infrastructure in security programs.Gives white hats a reason to report issues before attackers exploit them.Publish retirement statusClearly identify whether old products are drained, paused, monitored, or unsupported.Helps users, integrators, and analysts distinguish “not in the UI” from “not risky.”Define treasury liabilityState whether the protocol will compensate losses from retired infrastructure.Makes clear whether old code remains an implicit claim on the protocol treasury.

Deprecating a contract transfers the security liability to the treasury while leaving the attack surface intact. Retiring infrastructure without decommissioning it keeps it live, with the team’s attention diverted and the attacker’s incentive intact.

In addition to total value locked, DeFi protocols accumulate history, and history can be exploited.