Author: Gino Matos
Compiler: Luffy, Foresight News
TL;DR:
- Hackers stole approximately $1.34 million in assets by exploiting Raydium's long-discontinued V3 Automated Market Maker liquidity pools.
- This incident exposes a widespread issue: Old contracts decommissioned by DeFi projects are still operational on-chain. These forgotten underlying infrastructures have become easily overlooked attack targets.
- Public reports indicate that since March 2025, there have been at least 8 similar theft incidents targeting old contracts within the industry, suggesting that a vast amount of unattended legacy code remains externally callable.
Recently, a vulnerability in Raydium's AMM V3 resulted in a loss of $1.34 million. This incident involved five liquidity pools outside the project's current product ecosystem. These pools were unsupported by Raydium's UI or SDK and inaccessible to ordinary users, yet they were ultimately exploited by hackers.
This attack targeted the neglected old contracts and underlying infrastructures within the industry, revealing major flaws in the full lifecycle management of smart contracts. This type of problem is not unique to this one Solana-based decentralized exchange.
The Overlooked Risk Category
According to publicly available security incident reports, from March 2025 to the present, there have been at least 8 confirmed attack cases explicitly due to abandoned, phased-out, or old contracts, with cumulative losses of approximately $10.8 million.
If attacks involving old liquidity pools and outdated supporting products are included in the statistics, the number of related incidents reaches 10 (including this Raydium theft), with total losses amounting to about $22.5 million.
Most current industry security incident tracking platforms categorize attack types based on technical causes. Common classifications include: smart contract code vulnerabilities, permission control failures, oracle manipulation, private key leakage, cross-chain bridge defects, etc.
Zombie contracts (i.e., old contracts declared discontinued by projects but still normally callable on-chain) belong to a completely different risk dimension. They are security incidents caused by failures in contract lifecycle management, yet they have always been buried within the statistical entries of various conventional vulnerabilities and have not been classified separately.
The reason Raydium's V3 AMM liquidity pools were abandoned stems from the formal shutdown of the Serum project they relied on, rendering this set of old contracts completely non-functional. The corresponding liquidity assets have been idle on-chain ever since.
Raydium's currently used new version of the contract performs dual verification of two key pieces of information: first, it checks asset proportions through a total supply verification mechanism; second, it verifies the minting address of liquidity tokens and various associated account information.
However, this outdated V3 contract completely omitted these two verification processes. Hackers exploited this vulnerability by forging new liquidity tokens and impersonating legitimate certificates, directly bypassing all risk control rules.
In this incident, a total of approximately 150,177 RAY, 5,603 SOL, and 893,700 USDC were stolen. These assets had been stored in the platform's old liquidity pools for a long time. Although detached from mainstream operations, their on-chain call permissions were never deactivated.
Eight Cases Reveal Common Problems
Since 2025, several well-known DeFi projects have stumbled over old contracts. All incidents share the same characteristics: the project team claimed that the current version of the product and active users were unaffected, but because the old contracts were not completely shut down, the project treasury ultimately bore the full losses.
Why Old Contract Risks Are Overlooked
Currently, the vast majority of industry security incident classification systems focus on attack methods, tampering targets, and code failure points, representing an analytical perspective "starting from technical vulnerabilities." This also leads to the masking of zombie contract incidents. The core of such problems is never coding errors, but the failure of projects to execute the necessary complete shutdown of old contracts.
A 2025 industry research paper analyzed 50 major global crypto security incidents between 2022 and 2025, with cumulative losses exceeding $1 billion. The study pointed out that high-harm on-chain attacks are often the result of chain risk superposition, simultaneously involving human operations, daily maintenance, economic models, contract lifecycle management, community governance, and other levels.
The paper proposed a four-layer root cause analysis framework, clearly classifying contract lifecycle management vulnerabilities and community governance vulnerabilities as independent risk categories separate from code writing vulnerabilities. The zombie contract problem is a typical lifecycle management vulnerability. However, in existing security statistics systems, such incidents are uniformly categorized as "code vulnerabilities," and the corresponding loss data is concealed under other classifications, failing to attract sufficient industry attention.
Beware the "Contract Graveyard": Old Infrastructure Becomes a New Attack Hotspot
If DeFi projects continue to treat "contract shutdown" as an optional, trivial matter—merely annotating "this contract is discontinued" in product documentation without transferring idle assets, disabling call functions, or continuously monitoring status—then hackers will persistently target this "contract graveyard."
Every large DeFi project's historical deployment records have now become attack targets that hackers can search and exploit. The currently counted $22.5 million in losses is merely the value from publicly exposed cases; the real risk is far higher.
Those old liquidity pools holding assets but detached from mainstream user workflows, historical authorization interfaces, and early partnership integration modules receive far less operational monitoring than current business systems, making them precisely the preferred targets for hackers.
To change the status quo, "zombie contracts" must first be listed as an independent risk category with separate incident statistics. Secondly, the contract decommissioning process must be incorporated into standardized security procedures, placed on equal footing with code audits. Only by implementing full lifecycle operations and maintenance can the attack surface be effectively reduced.
Currently, the industry's handling methods are largely similar. Raydium used its project treasury to cover the $1.34 million loss. Transit Finance and Huma Finance also bore user losses through the project side.
This also means that contract decommissioning is no longer just a documentation annotation task; it is an essential security control link.
Seven Security Control Standards for Contract Decommissioning
For the shutdown of old contracts, the industry can establish standardized control processes. The specific requirements and their functions are as follows:
Simply annotating "contract discontinued" in documentation merely shifts the security risk to the project treasury, while the attack vulnerability remains. Announcing a shutdown only at the product level without a complete technical deactivation leaves old contracts perpetually callable: project teams neglect oversight, while hackers watch closely at all times.
The value of a DeFi project is not only reflected in its current total value locked (TVL) but also in the historical code and underlying architectures accumulated along its journey. And this forgotten history has now become a new security突破口 (breakthrough point).
