Author: ZeroDrift
Key Points
- DxSale was the most severe case, with attackers stealing approximately $7.3 million.
- The issue is not a single vulnerability, but the incomplete decommissioning of old contracts, which still retain economic value and operational permissions.
According to an analysis released by ZeroDrift on June 22, 2026, attackers stole approximately $16.9 million from five deprecated but still active smart contracts over the past 40 days.
An 'abandoned contract' is not equivalent to an 'inactive contract'. Many contracts, although no longer actively developed or maintained by their teams, remain deployed on-chain and can receive funds, execute transactions, or move assets. As long as they hold funds, authorizations, or callable entry points, they remain viable targets for attack.
These incidents occurred between May 7 and June 15, 2026. TrustedVolumes lost approximately $5.87 million, Huma Finance V1 pool lost around $101,000, DxSale V1 Locker lost about $7.3 million, Raydium Legacy AMM pool lost roughly $1.34 million, and Aztec Connect lost approximately $2.28 million in two consecutive attacks.
Chart: Cumulative losses from five abandoned contract-related incidents over 40 days. Source: ZeroDrift / X.
Contracts No One Watches May Still Hold Funds
The DxSale case is particularly illustrative. Its old locker contract was originally designed for long-term liquidity locking, ensuring funds couldn't be withdrawn before a set date. However, the risk of such systems stems precisely from their intended purpose: they are meant to hold value over the long term.
Over time, as teams shift focus to new products, monitoring weakens, personnel changes, and old permission paths and historical assumptions are gradually forgotten. ZeroDrift points out that in the DxSale incident, an old control pathway became viable again, leading to the withdrawal of liquidity that should have been locked.
The five incidents are not repetitions of the same exploit. They occurred in different systems, with different architectures and across different blockchains, involving components such as RFQ settlement, credit pools, LP lockers, AMMs, and rollup exits.
What they truly share is the underlying state: these contracts are no longer the active development focus of their teams yet still retain economic value on-chain.
Automated Analysis is Amplifying Old Contract Risks
Old contracts are naturally suited for discovery by automated tools: their code is public, their on-chain history is complete, monitoring is weaker, and they often retain outdated security assumptions. In the past, systematically searching for these long-tail targets required significant manual effort; now, code similarity searches, transaction simulation, on-chain data analysis, and AI-assisted review are lowering the cost of such searches.
ZeroDrift also emphasizes that there is currently no public evidence that AI was involved in these five specific attacks. What truly warrants attention is the shift in cost structure: it is becoming increasingly easier for attackers to systematically scan 'yesterday's products,' while defenders have not yet systematized the management of 'yesterday's responsibilities' to the same degree.
The DeFi security industry has developed relatively mature audit processes for contract launches, but contract retirement, migration, and decommissioning still lack equally strict discipline. A contract does not automatically become secure simply because a team stops maintaining it. It is only truly retired when its funds, permissions, authorizations, entry points, and trust assumptions have all been removed.
