Eight zombie contract exploits since March 2025 total $22.5M. Raydium's $1.34M hack hit a phased-out Serum program. The pattern: deprecated infrastructure stays callable, attackers scan the graveyard.
Alpha Score of 55 reflects moderate overall profile with weak momentum, moderate value, moderate quality, moderate sentiment.
The Raydium AMM V3 exploit that drained roughly $1.34 million last week hit a phased-out program. Five pools sat outside Raydium's current product path, unsupported by the UI or SDK, and inaccessible to ordinary users. The legacy program was built to place orders on the Serum order book. When Serum wound down, it lost its only function. The associated liquidity sat idle. The contracts stayed callable.
Raydium's current programs use a virtual supply mechanism for proportion checks and verify LP mint addresses alongside all other relevant account information. The legacy program skipped both checks. An attacker created a new mint, presented it as the LP token, and bypassed proportion controls. The haul: roughly 150,177 RAY, 5,603 SOL, and 893,700 USDC.
That makes the incident more than a single hack. Public exploit reports have found at least eight clear cases since March 2025 in which deprecated, obsolete, or legacy DeFi contracts became the attack surface. The cumulative loss from those eight incidents comes to roughly $10.8 million. Expand the definition to include older vault and product failures and the count rises to about ten incidents and $22.5 million, Raydium included.
Exploit trackers normally classify incidents by technical mechanism: smart contract bugs, access control failures, oracle manipulation, private key compromise, bridge flaws. Zombie contracts – legacy infrastructure still callable on-chain after retirement – belong to a different axis. They are lifecycle failures that vanish inside broader labels.
1inch lost roughly $5 million in March when an obsolete Fusion v1 resolver contract implementation was exploited. Abracadabra lost $1.8 million in October due to deprecated Cauldron V4 contracts that remained active and exploitable because of a logic flaw. Yearn's legacy iEarn TUSD vault was drained of roughly $300,000 in December, while Yearn's current v2 and v3 vaults remained clean.
Things escalated in May. SlowMist reported Transit Finance losing $1.88 million through a deprecated 2022-era TRON contract. Huma Finance lost roughly $101,000 through deprecated V1 BaseCreditPool contracts on Polygon. Renegade lost approximately $209,000 due to a legacy V1 Arbitrum deployment exposed by an unprotected initializer and a migration issue, with white-hat recovery reducing the net impact. Scallop lost roughly $140,000 due to a deprecated rewards contract, leaving the core lending infrastructure clean.
Every protocol made the same claim: current users were safe, current programs were intact. Every protocol still paid out from the treasury. The old infrastructure had stayed callable long after it left the active product path.
A 2025 SoK paper analyzing 50 severe real-world exploits from 2022 to 2025, totaling over $1 billion in losses, argued that high-impact incidents frequently involve exploit chains spanning human, operational, economic, lifecycle, and governance layers. The authors proposed a four-tier root-cause framework that treats lifecycle and governance failures as a distinct category alongside implementation errors. Zombie contracts fit that framework: lifecycle failures that exploit databases absorb into implementation-bug counts, keeping the cumulative dollar figure buried inside unrelated categories.
Legacy vaults, forgotten approval surfaces, and old integrations that still hold assets but sit outside active user flows receive far less monitoring than live infrastructure. Attackers scan the graveyard. If protocols continue to treat decommissioning as an afterthought – deprecating contracts in product documentation without draining, pausing, or monitoring them – attackers will keep scanning the graveyard.
Raydium's treasury absorbs the $1.3 million exploit. Transit's team promised compensation. Huma covered its losses. Every major protocol's deployment history becomes a searchable attack surface. The $22.5 million current estimate is a floor, based on incidents that made it into public reporting with sufficient detail to classify.
Deprecating a contract transfers the security liability to the treasury while leaving the attack surface intact. Retiring infrastructure without decommissioning it keeps it live, with the team's attention diverted and the attacker's incentive intact. DeFi protocols accumulate history. History can be exploited.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.