Forgotten DeFi contracts cost $22.5M; Raydium loses $1.34M

Attackers exploited retired on-chain contracts that remained callable, extracting about $1.34 million from Raydium’s legacy AMM V3 pools in 2026. The affected pools were tied to a phased-out program that was no longer exposed through Raydium’s user interface or SDK but still held liquidity on-chain.

The Raydium exploit targeted a program originally designed to place orders on the Serum order book. After Serum was deprecated, the AMM program lost its intended function but continued to accept calls. The legacy code skipped the virtual supply and LP mint validation checks that Raydium’s current programs enforce. An attacker created a new token mint, presented it as the LP token, bypassed proportion and permission controls, and removed roughly 150,177 RAY, 5,603 SOL and 893,700 USDC from pools outside the active product path.

Public exploit reports and security trackers identify a pattern of similar incidents dating back to March 2025. At least eight clear mechanism-focused cases accounted for about $10.8 million in losses; expanding the definition to include broader legacy-vault and retired-product failures raises the total to about ten incidents and roughly $22.5 million. Notable incidents include a roughly $5 million loss at 1inch in March 2025 linked to an obsolete resolver, Abracadabra’s $1.8 million drain in October 2025 through deprecated Cauldron V4 contracts, Yearn’s December 2025 iEarn TUSD vault loss of about $300,000 while v2 and v3 vaults remained unaffected, Transit Finance’s $1.88 million loss in May 2026 via a deprecated TRON contract, and several mid-2026 incidents on Polygon and Arbitrum involving retired deployments and migration errors.

Protocol teams reported that active users and current deployments were not directly affected in each case, and affected protocols covered losses from treasuries or provided compensation. Security researchers and analysts observe that exploit databases and classification systems often record the technical mechanism-such as access control failures or logic bugs-while not separately tracking the lifecycle state of contracts that were retired from product documentation but left live on-chain. A 2025 survey of major real-world exploits recommended treating lifecycle and governance failures as a distinct root-cause category alongside implementation errors.

Security practitioners recommend operational measures to reduce the risk posed by legacy contracts: remove funds from retired pools and vaults; pause or disable callable functions where feasible; verify old mint, approval and permission checks; maintain monitoring and alerts for legacy deployments; include deprecated code in bug-bounty scopes; publish clear retirement status for products; and state whether the protocol treasury will assume liability for losses from retired infrastructure.

The current $22.5 million figure represents incidents with sufficient public reporting to classify. Observers note that additional legacy failures may not have been publicly disclosed or detailed enough to include in the tally.