A Raydium pool exploit that siphoned about $1.34 million last week is part of a growing pattern: at least eight DeFi protocols have lost a combined $10.8 million since March 2025 through attacks on old, deprecated smart contracts. When you include broader legacy-vault and product failures, the total climbs to roughly $22.5 million — and Raydium is the latest on the list.
What happened on Raydium
The attacker drained five legacy liquidity pools on Raydium's AMM V3 that were no longer supported by the current user interface or software development kit. The old program lacked checks for LP mint address and proportion controls, making it possible to create a new mint and bypass the safeguards. At the time of the attack, the pools still held roughly 150,177 RAY tokens, 5,603 SOL, and 893,700 USDC — all callable on-chain even though the platform had moved on.
The funds were withdrawn in a single transaction. The company says current users and active pools were not affected.
A list of ghosts that still bleed
Raydium isn't alone. In March, 1inch lost about $5 million through an obsolete Fusion v1 resolver contract. Abracadabra saw $1.8 million drain out of deprecated Cauldron V4 contracts back in October 2025. In December, Yearn's legacy iEarn TUSD vault gave up about $300,000.
This year, May alone brought three more incidents. Transit Finance lost $1.88 million via a 2022-era TRON contract. Huma Finance was hit for roughly $101,000 through deprecated V1 BaseCreditPool contracts on Polygon. And Renegade lost $209,000 because of an unprotected initializer and migration issue in its old Arbitrum V1 deployment — though white-hat recovery cut some of the damage.
Scallop, a lending protocol, lost about $140,000 from a deprecated rewards contract. Its core lending infrastructure remained untouched.
Why old code keeps paying out
Every affected protocol claimed that current users were safe and current programs remained intact. But each one ended up paying from treasury anyway, because the old infrastructure was still callable on the blockchain. Someone eventually noticed.
Exploit trackers tend to classify incidents by technical mechanisms — a smart contract bug, an access control failure, a price oracle problem. They rarely flag the lifecycle state of the contract. So a vulnerability that only exists because a protocol stopped maintaining a piece of code flies under the radar until the attacker finds it.
The $22.5 million estimate includes the bigger legacy-vault and product failures. That number is based on public disclosures from the affected teams. There's no central registry for deprecated contracts that still hold value.
What's unclear is how many more old, unmaintained contracts are sitting on Ethereum, Solana, Arbitrum, and other chains, still holding tokens that the teams have effectively abandoned. No one is auditing them. No one is watching. The code still runs — and it still pays.
