The next DeFi drain could come from legacy contracts everyone forgot
Raydium’s legacy exploit shows how legacy DeFi contracts can stay live, forgotten, and vulnerable after protocols move on.
Quick Take
- An attacker drained about $1.34 million from Raydium’s deprecated AMM V3 pools, years after they were phased out.
- The incident shows old DeFi contracts can stay live on-chain, turning retired infrastructure into an overlooked attack surface.
- Public reports already count at least eight similar legacy-contract exploits since March 2025, suggesting more forgotten code may still be callable.
The Raydium AMM V3 exploit drained roughly $1.34 million from a phased-out program tied to five pools outside the current product path, unsupported by Raydium’s UI or SDK, and inaccessible to current users.
The exploit hit legacy DeFi contracts and infrastructure that nobody treated as a live attack surface, exposing a lifecycle-management failure that extends well beyond one Solana decentralized exchange.
The category nobody is counting
Public exploit reports have found at least eight clear cases since March 2025 in which deprecated, obsolete, or legacy DeFi contracts became the attack surface, totaling roughly $10.8 million in losses.
Extending the definition to include broader legacy-vault and legacy-product failures lifts the count to about ten incidents and $22.5 million, including Raydium.
Exploit trackers classify incidents by technical mechanisms, such as smart contract bugs, access control failures, oracle manipulations, private key compromises, and bridge flaws.
Zombie contracts, or legacy DeFi contracts still callable after retirement, belong to a different axis entirely: a lifecycle state that consistently vanishes inside broader exploit labels.
| Exploit label databases usually use | What it captures | What it misses |
|---|---|---|
| Smart contract bug | The code flaw that let funds move | Whether the contract was deprecated, obsolete, or outside the active product |
| Access control failure | Missing or broken permission checks | Whether the affected deployment should still have been callable |
| Business logic flaw | Broken assumptions inside protocol logic | Whether the logic belonged to old infrastructure no longer supported by the UI/SDK |
| Oracle/accounting issue | Incorrect pricing, balances, or shares | Whether the vault or pool was a legacy product |
| Zombie-contract / lifecycle risk | Deprecated infrastructure still live on-chain | The missing category: contracts that were “retired” in product terms but not decommissioned technically |
Raydium's AMM V3 pools were deprecated after Serum's own deprecation rendered them inert. The legacy program was built to place orders on the Serum order book, and once Serum wound down, it lost its only function and left associated liquidity idle.
Raydium's current programs use a virtual supply mechanism for proportion checks and verify LP mint addresses along with all other relevant account information.
The legacy program skipped both checks, letting an attacker create a new mint, present it as the LP token, and bypass proportion controls entirely.
Roughly 150,177 RAY, 5,603 SOL, and 893,700 USDC had been sitting in pools outside the current product but stayed callable on-chain.
One pattern for eight incidents
In March 2025, 1inch lost roughly $5 million when an obsolete Fusion v1 resolver contract implementation was exploited.
In October 2025, Abracadabra lost $1.8 million due to deprecated Cauldron V4 contracts that remained active and exploitable because of a logic flaw. In December 2025, Yearn's legacy iEarn TUSD vault was drained of roughly $300,000, while Yearn's current v2 and v3 vaults remained clean.
Things escalated in May: SlowMist reported Transit Finance losing $1.88 million through a deprecated 2022-era TRON contract, and Huma Finance lost roughly $101,000 through deprecated V1 BaseCreditPool contracts on Polygon.
Renegade lost approximately $209,000 due to a legacy V1 Arbitrum deployment exposed by an unprotected initializer and a migration issue, with white-hat recovery reducing the net impact.
Scallop lost roughly $140,000 due to a deprecated rewards contract, leaving the core lending infrastructure clean.
Every protocol made the same claim that current users were safe and current programs intact, and every protocol still paid out from the treasury, because the old infrastructure had stayed callable long after it left the active product path.
| Protocol | Date | Legacy surface exploited | Approx. loss | Why it fits the pattern |
|---|---|---|---|---|
| 1inch | Mar. 2025 | Obsolete Fusion v1 resolver implementation | ~$5.0M | Old resolver logic remained relevant enough to exploit after the protocol had moved on. |
| Abracadabra | Oct. 2025 | Deprecated Cauldron V4 contracts | ~$1.8M | Deprecated contracts remained active and exploitable through a logic flaw. |
| Yearn | Dec. 2025 | Legacy iEarn TUSD vault | ~$0.3M | Legacy vault was drained while current Yearn vaults remained unaffected. |
| Transit Finance | May 2026 | Deprecated 2022-era TRON contract | ~$1.88M | Old contract surface stayed live after deprecation and became the attack path. |
| Huma Finance | May 2026 | Deprecated V1 BaseCreditPool contracts on Polygon | ~$0.101M | Retired architecture still held exploitable value outside the current system. |
| Renegade | May 2026 | Legacy V1 Arbitrum deployment | ~$0.209M | Migration and initializer issues exposed an old deployment. |
| Scallop | 2026 | Deprecated rewards-side contract | ~$0.14M | Core lending infrastructure stayed clean, but old rewards infrastructure was exploitable. |
| Raydium | 2026 | Legacy AMM V3 pools | ~$1.34M | Current UI/SDK and users were unaffected, but old pools remained callable on-chain. |
Why databases lose this
Most exploit classifications focus on how the attacker got in, what they manipulated, and which code failed, a mechanism-first lens that obscures zombie contract exploits, where the core failure is that the infrastructure was supposed to be retired.
Transit's deprecated TRON contract was an old protocol surface that nobody decommissioned. Scallop's deprecated rewards contract was an accounting flaw in infrastructure that the team had moved past. Huma's V1 BaseCreditPool was retired architecture still holding assets on a chain the protocol had migrated away from.
A 2025 SoK paper analyzing 50 severe real-world exploits from 2022 to 2025, totaling over $1 billion in losses, argued that high-impact incidents frequently involve exploit chains spanning human, operational, economic, lifecycle, and governance layers.
The authors proposed a four-tier root-cause framework that treats lifecycle and governance failures as a distinct category alongside implementation errors. Zombie contracts fit that framework: lifecycle failures that exploit databases are absorbed into implementation-bug counts, keeping the cumulative dollar figure buried inside unrelated categories.
The fork in the graveyard
If protocols continue to treat decommissioning as an afterthought, deprecating contracts in product documentation without draining, pausing, or monitoring them, attackers will keep scanning the graveyard.
Every major protocol's deployment history becomes a searchable attack surface. The $22.5 million current estimate is a floor, based on incidents that made it into public reporting with sufficient detail to classify.
Legacy vaults, forgotten approval surfaces, and old integrations that still hold assets but sit outside active user flows receive far less monitoring than live infrastructure, which is what attackers scan for.
If the category gets named and counted, if decommissioning checklists become standard practice alongside audits, the attack surface shrinks through maintenance.
Raydium's treasury absorbs the $1.3 million exploit, Transit's team promised compensation, and Huma covered its losses.
That makes DeFi contract decommissioning a security control rather than a documentation task.
| Decommissioning control | What it means | Why it matters |
|---|---|---|
| Drain idle assets | Remove funds from retired pools, vaults, and reward contracts. | Eliminates the financial incentive for attackers to scan abandoned infrastructure. |
| Pause callable functions | Disable swaps, withdrawals, reward claims, or admin functions where possible. | Turns “deprecated” into an actual security state rather than a product label. |
| Verify LP mints, approvals, and permissions | Review old mint checks, approvals, authorities, and account assumptions. | Prevents attackers from exploiting stale validation logic or forgotten permissions. |
| Monitor legacy deployments | Keep alerts active for old contracts, pools, and chain deployments. | Prevents abandoned infrastructure from becoming invisible to the team but visible to attackers. |
| Keep legacy code in bug-bounty scope | Include retired or deprecated infrastructure in security programs. | Gives white hats a reason to report issues before attackers exploit them. |
| Publish retirement status | Clearly identify whether old products are drained, paused, monitored, or unsupported. | Helps users, integrators, and analysts distinguish “not in the UI” from “not risky.” |
| Define treasury liability | State whether the protocol will compensate losses from retired infrastructure. | Makes clear whether old code remains an implicit claim on the protocol treasury. |
Deprecating a contract transfers the security liability to the treasury while leaving the attack surface intact. Retiring infrastructure without decommissioning it keeps it live, with the team's attention diverted and the attacker's incentive intact.
In addition to total value locked, DeFi protocols accumulate history, and history can be exploited.
