De-fi
The next DeFi drain could come from legacy contracts everyone forgot – Crypto News
The Raydium AMM V3 exploit drained roughly $1.34 million from a phased-out program tied to five pools outside the current product path, unsupported by Raydium’s UI or SDK, and inaccessible to current users.
The exploit hit legacy DeFi contracts and infrastructure that nobody treated as a live attack surface, exposing a lifecycle-management failure that extends well beyond one Solana decentralized exchange.
The category nobody is counting
Public exploit reports have found at least eight clear cases since March 2025 in which deprecated, obsolete, or legacy DeFi contracts became the attack surface, totaling roughly $10.8 million in losses.
Extending the definition to include broader legacy-vault and legacy-product failures lifts the count to about ten incidents and $22.5 million, including Raydium.
Exploit trackers classify incidents by technical mechanisms, such as smart contract bugs, access control failures, oracle manipulations, private key compromises, and bridge flaws.
Zombie contracts, or legacy DeFi contracts still callable after retirement, belong to a different axis entirely: a lifecycle state that consistently vanishes inside broader exploit labels.
| Exploit label databases usually use | What it captures | What it misses |
|---|---|---|
| Smart contract bug | The code flaw that let funds move | Whether the contract was deprecated, obsolete, or outside the active product |
| Access control failure | Missing or broken permission checks | Whether the affected deployment should still have been callable |
| Business logic flaw | Broken assumptions inside protocol logic | Whether the logic belonged to old infrastructure no longer supported by the UI/SDK |
| Oracle/accounting issue | Incorrect pricing, balances, or shares | Whether the vault or pool was a legacy product |
| Zombie-contract / lifecycle risk | Deprecated infrastructure still live on-chain | The missing category: contracts that were “retired” in product terms but not decommissioned technically |
Raydium’s AMM V3 pools were deprecated after Serum’s own deprecation rendered them inert. The legacy program was built to place orders on the Serum order book, and once Serum wound down, it lost its only function and left associated liquidity idle.
Raydium’s current programs use a virtual supply mechanism for proportion checks and verify LP mint addresses along with all other relevant account information.
The legacy program skipped both checks, letting an attacker create a new mint, present it as the LP token, and bypass proportion controls entirely.
Roughly 150,177 RAY, 5,603 SOL, and 893,700 USDC had been sitting in pools outside the current product but stayed callable on-chain.
One pattern for eight incidents
In March 2025, 1inch lost roughly $5 million when an obsolete Fusion v1 resolver contract implementation was exploited.
In October 2025, Abracadabra lost $1.8 million due to deprecated Cauldron V4 contracts that remained active and exploitable because of a logic flaw. In December 2025, Yearn’s legacy iEarn TUSD vault was drained of roughly $300,000, while Yearn’s current v2 and v3 vaults remained clean.
Things escalated in May: SlowMist reported Transit Finance losing $1.88 million through a deprecated 2022-era TRON contract, and Huma Finance lost roughly $101,000 through deprecated V1 BaseCreditPool contracts on Polygon.
Renegade lost approximately $209,000 due to a legacy V1 Arbitrum deployment exposed by an unprotected initializer and a migration issue, with white-hat recovery reducing the net impact.
Scallop lost roughly $140,000 due to a deprecated rewards contract, leaving the core lending infrastructure clean.
Every protocol made the same claim that current users were safe and current programs intact, and every protocol still paid out from the treasury, because the old infrastructure had stayed callable long after it left the active product path.
| Protocol | Date | Legacy surface exploited | Approx. loss | Why it fits the pattern |
|---|---|---|---|---|
| 1inch | Mar. 2025 | Obsolete Fusion v1 resolver implementation | ~$5.0M | Old resolver logic remained relevant enough to exploit after the protocol had moved on. |
| Abracadabra | Oct. 2025 | Deprecated Cauldron V4 contracts | ~$1.8M | Deprecated contracts remained active and exploitable through a logic flaw. |
| Yearn | Dec. 2025 | Legacy iEarn TUSD vault | ~$0.3M | Legacy vault was drained while current Yearn vaults remained unaffected. |
| Transit Finance | May 2026 | Deprecated 2022-era TRON contract | ~$1.88M | Old contract surface stayed live after deprecation and became the attack path. |
| Huma Finance | May 2026 | Deprecated V1 BaseCreditPool contracts on Polygon | ~$0.101M | Retired architecture still held exploitable value outside the current system. |
| Renegade | May 2026 | Legacy V1 Arbitrum deployment | ~$0.209M | Migration and initializer issues exposed an old deployment. |
| Scallop | 2026 | Deprecated rewards-side contract | ~$0.14M | Core lending infrastructure stayed clean, but old rewards infrastructure was exploitable. |
| Raydium | 2026 | Legacy AMM V3 pools | ~$1.34M | Current UI/SDK and users were unaffected, but old pools remained callable on-chain. |
Why databases lose this
Most exploit classifications focus on how the attacker got in, what they manipulated, and which code failed, a mechanism-first lens that obscures zombie contract exploits, where the core failure is that the infrastructure was supposed to be retired.
Transit’s deprecated TRON contract was an old protocol surface that nobody decommissioned. Scallop’s deprecated rewards contract was an accounting flaw in infrastructure that the team had moved past. Huma’s V1 BaseCreditPool was retired architecture still holding assets on a chain the protocol had migrated away from.
A 2025 SoK paper analyzing 50 severe real-world exploits from 2022 to 2025, totaling over $1 billion in losses, argued that high-impact incidents frequently involve exploit chains spanning human, operational, economic, lifecycle, and governance layers.
The authors proposed a four-tier root-cause framework that treats lifecycle and governance failures as a distinct category alongside implementation errors. Zombie contracts fit that framework: lifecycle failures that exploit databases are absorbed into implementation-bug counts, keeping the cumulative dollar figure buried inside unrelated categories.
The fork in the graveyard
If protocols continue to treat decommissioning as an afterthought, deprecating contracts in product documentation without draining, pausing, or monitoring them, attackers will keep scanning the graveyard.
Every major protocol’s deployment history becomes a searchable attack surface. The $22.5 million current estimate is a floor, based on incidents that made it into public reporting with sufficient detail to classify.
Legacy vaults, forgotten approval surfaces, and old integrations that still hold assets but sit outside active user flows receive far less monitoring than live infrastructure, which is what attackers scan for.
If the category gets named and counted, if decommissioning checklists become standard practice alongside audits, the attack surface shrinks through maintenance.
Raydium’s treasury absorbs the $1.3 million exploit, Transit’s team promised compensation, and Huma covered its losses.
That makes DeFi contract decommissioning a security control rather than a documentation task.
| Decommissioning control | What it means | Why it matters |
|---|---|---|
| Drain idle assets | Remove funds from retired pools, vaults, and reward contracts. | Eliminates the financial incentive for attackers to scan abandoned infrastructure. |
| Pause callable functions | Disable swaps, withdrawals, reward claims, or admin functions where possible. | Turns “deprecated” into an actual security state rather than a product label. |
| Verify LP mints, approvals, and permissions | Review old mint checks, approvals, authorities, and account assumptions. | Prevents attackers from exploiting stale validation logic or forgotten permissions. |
| Monitor legacy deployments | Keep alerts active for old contracts, pools, and chain deployments. | Prevents abandoned infrastructure from becoming invisible to the team but visible to attackers. |
| Keep legacy code in bug-bounty scope | Include retired or deprecated infrastructure in security programs. | Gives white hats a reason to report issues before attackers exploit them. |
| Publish retirement status | Clearly identify whether old products are drained, paused, monitored, or unsupported. | Helps users, integrators, and analysts distinguish “not in the UI” from “not risky.” |
| Define treasury liability | State whether the protocol will compensate losses from retired infrastructure. | Makes clear whether old code remains an implicit claim on the protocol treasury. |
Deprecating a contract transfers the security liability to the treasury while leaving the attack surface intact. Retiring infrastructure without decommissioning it keeps it live, with the team’s attention diverted and the attacker’s incentive intact.
In addition to total value locked, DeFi protocols accumulate history, and history can be exploited.
-
Technology1 week ago
Zcash Foundation Releases Upgrade to Fix Orchard Bug as ZEC Rallies – Crypto News
-
Blockchain1 week agoIsrael’s Tax Authority ‘Disappointed’ in Voluntary Crypto Disclosures: Report – Crypto News
-
others1 week ago
Polymarket Faces South Korea Police Probe Over Illegal Gambling Allegations – Crypto News
-
Technology1 week ago
Breaking: Michael Saylor Calls for Unity Among Bitcoin’s Competing Ideologies – Crypto News
-
Blockchain1 week agoSaylor Says Bitcoin Slide Is Capital Rotation as Strategy Loss Grows – Crypto News
-
Technology1 week agoIndia to use AI for machine-readable standards: Consumer Affairs Secretary – Crypto News
-
Business1 week ago
Will Crypto Market Crash Deeper? Here’s What Bitcoin, ETH, XRP, & SOL Options Data Signals – Crypto News
-
De-fi7 days agoDragonfly GP Tom Schmidt Calls Nova Markets Startup ‘Huge Scammers,’ Slams VCs – Crypto News
-
others1 week agoGoldman Sachs Specialist Outlines Equity Sector He’s Excited About Amid Historic Tech Stock Boom – Crypto News
-
Blockchain1 week agoEthereum’s Multi-Year Support Test Could Shape Its Next Big Move – Crypto News
-
Blockchain1 week agoEthereum Price Plunges Under $1,800, Leaving Bulls On The Ropes – Crypto News
-
Business1 week ago
Will Crypto Market Crash Deeper? Here’s What Bitcoin, ETH, XRP, & SOL Options Data Signals – Crypto News
-
Cryptocurrency1 week agoA stablecoin tied to Strategy stock depegs putting a new DeFi dollar risk in focus as Bitcoin sells off – Crypto News
-
Blockchain5 days agoDogecoin (DOGE) Stages A Recovery Attempt After A Brutal Selloff – Crypto News
-
others1 week ago
Breaking: Grayscale Amends BNB ETF Filing to Reveal Key Details – Crypto News
-
Business1 week ago
BREAKING: Treasury Secretary Vows To Advance Strategic Bitcoin Reserve – Crypto News
-
Cryptocurrency1 week agoBitcoin traders blamed Saylor’s 32 BTC sale but larger selling pressure built elsewhere – Crypto News
-
Blockchain1 week agoPundit Says Dogecoin Is About To Do Something Insane, Here’s What – Crypto News
-
Cryptocurrency1 week ago
Bitget Expands Unified Trading Account with Tokenized Stocks as Margin Assets – Crypto News
-
Blockchain1 week agoKraken Opens SpaceX IPO Access Through xStocks Platform – Crypto News
-
Blockchain5 days ago
Dogecoin (DOGE) Stages A Recovery Attempt After A Brutal Selloff – Crypto News
-
Technology5 days ago
Breaking: XRP Ledger (XRPL) 3.2.0 Upgrade for Core Server Overhaul Set for June 15 – Crypto News
-
Business5 days ago
JPMorgan Says Crypto Market H2 Cycle Hinges On Strategy’s Bitcoin Play & CLARITY Act – Crypto News
-
Technology1 week agoIndia spending big on AI, but lacks talent to deploy it, says SBI chairman – Crypto News
-
Blockchain1 week ago
Ethereum’s Multi-Year Support Test Could Shape Its Next Big Move – Crypto News
-
De-fi1 week agoPENDLE Token Goes Live on Revolut, Reaching 20M EEA Crypto Traders – Crypto News
-
Technology1 week ago
CLARITY Act: Senator Lummis Shares First Hint On Senate Floor Vote Timing – Crypto News
-
Cryptocurrency1 week agoWhy Bitcoin price could fall below $62,000 despite oversold conditions – Crypto News
-
De-fi1 week agoBitcoin’s $63k slide shows ETF demand fighting AI equities for dollar liquidity – Crypto News
-
others1 week ago
3 Ways to Think About SpaceX Before Its IPO – Crypto News
-
Business1 week ago
Grayscale Reveals Why Michael Saylor’s Strategy May Sell More Bitcoin – Crypto News
-
Blockchain1 week agoOCC Head Says he only Feels ‘Political Pressure’ from Democrats over Crypto Trust Charter – Crypto News
-
Cryptocurrency1 week agoAI Is Already Developing AI, Says Anthropic—And Humans May Be Slowing Things Down – Crypto News
-
Technology1 week ago
JPMorgan Sees CLARITY Act At Risk As Election Clock Ticks – Crypto News
-
Blockchain1 week agoAI Could Soon Train and Improve Itself Anthropic Says – Crypto News
-
Cryptocurrency1 week agoBitcoin crashed and flushed leverage out, but is the bottom here yet? – Crypto News
-
Technology1 week ago
Breaking: Ripple Affiliate SBI Launches Solana Trading & Custody Services – Crypto News
-
others1 week ago
Breaking: Grayscale Files For Canton Coin ETF After Hyperliquid ETF Success – Crypto News
-
Blockchain1 week ago
Strategy’s Leveraged Bitcoin Model Under Strain: Researchers – Crypto News
-
Business1 week ago
BNP Paribas Predicts Three Fed Rate Hikes Amid Strong U.S. Jobs Report – Crypto News
-
Blockchain1 week agoStrategy And Bitmine Record Losses Above $10 Billion – Crypto News
-
Technology1 week agoChina can build humanoids at scale. The hard part is finding enough buyers – Crypto News
-
De-fi1 week agoAmir Haleem Steps Down as CEO of Nova Labs as HNT Falls 99% From Peak – Crypto News
-
others1 week ago
Galaxy Digital Lowers CLARITY Act Passage Odds To 60% Amid Tight Senate Calendar – Crypto News
-
Blockchain1 week agoAnalyst Who Predicted the Bitcoin Crash Says Price Could Reach $40,000, Here’s When – Crypto News
-
Cryptocurrency1 week agoArbitrum breaks support – Is the recent ARB whale activity a lifeline or a trap? – Crypto News
-
Technology7 days ago
One Tech Tip: What to know about flying with lithium ion portable battery chargers – Crypto News
-
others6 days agoFood Giants Tyson and Cargill Paying $87,500,000 To Customers, Settling Accusations of Collusion and Price Fixing – Crypto News
-
Technology6 days ago
Strategy Faces Insider Selling Jitters With $15M MSTR Stock Sale But There’s A Catch – Crypto News
-
Technology5 days agoApple finds business users as inevitable iPhone India growth slowdown looms. – Crypto News