The Raydium AMM V3 exploit drained roughly $1.34 million from a phased-out program tied to 5 swimming pools outdoors the present product path, unsupported by Raydium’s UI or SDK, and inaccessible to present customers.
The exploit hit legacy DeFi contracts and infrastructure that no person handled as a reside assault floor, exposing a lifecycle-management failure that extends properly past one Solana decentralized alternate.
The class no person is counting
Public exploit reviews have discovered at the very least eight clear instances since March 2025 by which deprecated, out of date, or legacy DeFi contracts grew to become the assault floor, totaling roughly $10.8 million in losses.
Extending the definition to incorporate broader legacy-vault and legacy-product failures lifts the depend to about ten incidents and $22.5 million, together with Raydium.
Exploit trackers classify incidents by technical mechanisms, resembling sensible contract bugs, entry management failures, oracle manipulations, non-public key compromises, and bridge flaws.
Zombie contracts, or legacy DeFi contracts nonetheless callable after retirement, belong to a special axis totally: a lifecycle state that constantly vanishes inside broader exploit labels.
| Exploit label databases normally use | What it captures | What it misses |
|---|---|---|
| Good contract bug | The code flaw that permit funds transfer | Whether or not the contract was deprecated, out of date, or outdoors the lively product |
| Entry management failure | Lacking or damaged permission checks | Whether or not the affected deployment ought to nonetheless have been callable |
| Enterprise logic flaw | Damaged assumptions inside protocol logic | Whether or not the logic belonged to outdated infrastructure now not supported by the UI/SDK |
| Oracle/accounting challenge | Incorrect pricing, balances, or shares | Whether or not the vault or pool was a legacy product |
| Zombie-contract / lifecycle danger | Deprecated infrastructure nonetheless reside on-chain | The lacking class: contracts that had been “retired” in product phrases however not decommissioned technically |
Raydium’s AMM V3 swimming pools had been deprecated after Serum’s personal deprecation rendered them inert. The legacy program was constructed to position orders on the Serum order guide, and as soon as Serum wound down, it misplaced its solely operate and left related liquidity idle.
Raydium’s present applications use a digital provide mechanism for proportion checks and confirm LP mint addresses together with all different related account info.
The legacy program skipped each checks, letting an attacker create a brand new mint, current it because the LP token, and bypass proportion controls totally.
Roughly 150,177 RAY, 5,603 SOL, and 893,700 USDC had been sitting in swimming pools outdoors the present product however stayed callable on-chain.
One sample for eight incidents
In March 2025, 1inch misplaced roughly $5 million when an out of date Fusion v1 resolver contract implementation was exploited.
In October 2025, Abracadabra misplaced $1.8 million as a consequence of deprecated Cauldron V4 contracts that remained lively and exploitable due to a logic flaw. In December 2025, Yearn’s legacy iEarn TUSD vault was drained of roughly $300,000, whereas Yearn’s present v2 and v3 vaults remained clear.
Issues escalated in Could: SlowMist reported Transit Finance dropping $1.88 million by a deprecated 2022-era TRON contract, and Huma Finance misplaced roughly $101,000 by deprecated V1 BaseCreditPool contracts on Polygon.
Renegade misplaced roughly $209,000 as a consequence of a legacy V1 Arbitrum deployment uncovered by an unprotected initializer and a migration challenge, with white-hat restoration lowering the online influence.
Scallop misplaced roughly $140,000 as a consequence of a deprecated rewards contract, leaving the core lending infrastructure clear.
Each protocol made the identical declare that present customers had been secure and present applications intact, and each protocol nonetheless paid out from the treasury, as a result of the outdated infrastructure had stayed callable lengthy after it left the lively product path.
| Protocol | Date | Legacy floor exploited | Approx. loss | Why it matches the sample |
|---|---|---|---|---|
| 1inch | Mar. 2025 | Out of date Fusion v1 resolver implementation | ~$5.0M | Outdated resolver logic remained related sufficient to use after the protocol had moved on. |
| Abracadabra | Oct. 2025 | Deprecated Cauldron V4 contracts | ~$1.8M | Deprecated contracts remained lively and exploitable by a logic flaw. |
| Yearn | Dec. 2025 | Legacy iEarn TUSD vault | ~$0.3M | Legacy vault was drained whereas present Yearn vaults remained unaffected. |
| Transit Finance | Could 2026 | Deprecated 2022-era TRON contract | ~$1.88M | Outdated contract floor stayed reside after deprecation and have become the assault path. |
| Huma Finance | Could 2026 | Deprecated V1 BaseCreditPool contracts on Polygon | ~$0.101M | Retired structure nonetheless held exploitable worth outdoors the present system. |
| Renegade | Could 2026 | Legacy V1 Arbitrum deployment | ~$0.209M | Migration and initializer points uncovered an outdated deployment. |
| Scallop | 2026 | Deprecated rewards-side contract | ~$0.14M | Core lending infrastructure stayed clear, however outdated rewards infrastructure was exploitable. |
| Raydium | 2026 | Legacy AMM V3 swimming pools | ~$1.34M | Present UI/SDK and customers had been unaffected, however outdated swimming pools remained callable on-chain. |
Why databases lose this
Most exploit classifications concentrate on how the attacker received in, what they manipulated, and which code failed, a mechanism-first lens that obscures zombie contract exploits, the place the core failure is that the infrastructure was alleged to be retired.
Transit’s deprecated TRON contract was an outdated protocol floor that no person decommissioned. Scallop’s deprecated rewards contract was an accounting flaw in infrastructure that the group had moved previous. Huma’s V1 BaseCreditPool was retired structure nonetheless holding property on a sequence the protocol had migrated away from.
A 2025 SoK paper analyzing 50 extreme real-world exploits from 2022 to 2025, totaling over $1 billion in losses, argued that high-impact incidents regularly contain exploit chains spanning human, operational, financial, lifecycle, and governance layers.
The authors proposed a four-tier root-cause framework that treats lifecycle and governance failures as a definite class alongside implementation errors. Zombie contracts match that framework: lifecycle failures that exploit databases are absorbed into implementation-bug counts, conserving the cumulative greenback determine buried inside unrelated classes.
The fork within the graveyard
If protocols proceed to deal with decommissioning as an afterthought, deprecating contracts in product documentation with out draining, pausing, or monitoring them, attackers will hold scanning the graveyard.
Each main protocol’s deployment historical past turns into a searchable assault floor. The $22.5 million present estimate is a flooring, primarily based on incidents that made it into public reporting with enough element to categorise.
Legacy vaults, forgotten approval surfaces, and outdated integrations that also maintain property however sit outdoors lively consumer flows obtain far much less monitoring than reside infrastructure, which is what attackers scan for.
If the class will get named and counted, if decommissioning checklists turn into customary observe alongside audits, the assault floor shrinks by upkeep.
Raydium’s treasury absorbs the $1.3 million exploit, Transit’s group promised compensation, and Huma coated its losses.
That makes DeFi contract decommissioning a safety management quite than a documentation activity.
| Decommissioning management | What it means | Why it issues |
|---|---|---|
| Drain idle property | Take away funds from retired swimming pools, vaults, and reward contracts. | Eliminates the monetary incentive for attackers to scan deserted infrastructure. |
| Pause callable capabilities | Disable swaps, withdrawals, reward claims, or admin capabilities the place potential. | Turns “deprecated” into an precise safety state quite than a product label. |
| Confirm LP mints, approvals, and permissions | Overview outdated mint checks, approvals, authorities, and account assumptions. | Prevents attackers from exploiting stale validation logic or forgotten permissions. |
| Monitor legacy deployments | Hold alerts lively for outdated contracts, swimming pools, and chain deployments. | Prevents deserted infrastructure from turning into invisible to the group however seen to attackers. |
| Hold legacy code in bug-bounty scope | Embody retired or deprecated infrastructure in safety applications. | Offers white hats a cause to report points earlier than attackers exploit them. |
| Publish retirement standing | Clearly determine whether or not outdated merchandise are drained, paused, monitored, or unsupported. | Helps customers, integrators, and analysts distinguish “not within the UI” from “not dangerous.” |
| Outline treasury legal responsibility | State whether or not the protocol will compensate losses from retired infrastructure. | Makes clear whether or not outdated code stays an implicit declare on the protocol treasury. |
Deprecating a contract transfers the safety legal responsibility to the treasury whereas leaving the assault floor intact. Retiring infrastructure with out decommissioning it retains it reside, with the group’s consideration diverted and the attacker’s incentive intact.
Along with whole worth locked, DeFi protocols accumulate historical past, and historical past may be exploited.
