Raydium $1.34M exploit exposes legacy DeFi contract vulnerability
In brief
- Raydium lost $1.34M exploiting phased-out AMM V3 pools unsupported by UI or SDK.
- Eight legacy-contract exploits since March 2025 drained $10.8M across DeFi protocols.
- Deprecated contracts bypassed security checks, resolver logic, vault safeguards, and initialization protections.
- Current users and active programs remained unharmed; losses came from retired infrastructure.
The Raydium case: what stayed live
Raydium's AMM V3 pools were deprecated after Serum's own deprecation rendered them inert. Yet roughly 150,177 RAY, 5,603 SOL, and 893,700 USDC had been sitting in pools outside the current product but stayed callable on-chain.
The legacy program skipped both proportion checks and LP mint address verification. An attacker created a new mint, presented it as the LP token, and bypassed proportion controls. No UI. No SDK. No current user access. The infrastructure was simply forgotten.
A pattern across protocols
The problem isn't Raydium alone. Public exploit reports have found at least eight clear cases since March 2025 in which deprecated, obsolete, or legacy DeFi contracts became the attack surface, totaling roughly $10.8 million in losses. Extending the definition to include broader legacy-vault and legacy-product failures lifts the count to about ten incidents and $22.5 million in losses.
The list reads like a graveyard of forgotten infrastructure. In March 2025, 1inch lost roughly $5 million when an obsolete Fusion v1 resolver contract implementation was exploited. In October 2025, Abracadabra lost $1.8 million due to deprecated Cauldron V4 contracts that remained active and exploitable because of a logic flaw. In December 2025, Yearn's legacy iEarn TUSD vault was drained of roughly $300,000, while Yearn's current v2 and v3 vaults remained clean.
In May 2025, SlowMist reported Transit Finance losing $1.88 million through a deprecated 2022-era TRON contract. Huma Finance lost roughly $101,000 through deprecated V1 BaseCreditPool contracts on Polygon. Renegade lost approximately $209,000 due to a legacy V1 Arbitrum deployment exposed by an unprotected initializer and a migration issue. Scallop lost roughly $140,000 due to a deprecated rewards contract, leaving the core lending infrastructure clean.
Why it matters
Each protocol made the same statement: current users were safe, active programs stayed intact, and the treasury covered losses. But the real issue isn't what broke—it's what never got cleaned up.
Most exploit classifications focus on mechanism: how the attacker got in, what code failed, which vulnerability was exploited. That lens misses lifecycle state entirely. Zombie contracts, or legacy DeFi contracts still callable after retirement, belong to a different axis. A 2025 SoK paper analyzing 50 severe real-world exploits from 2022 to 2025 (totaling over $1 billion in losses) found that high-impact incidents frequently involve exploit chains spanning human, operational, economic, lifecycle, and governance layers.
The Raydium drain is a reminder: retiring infrastructure takes more than flipping a feature flag. It takes active removal, verification, and the discipline to ensure old code can't be called from on-chain. Until that becomes standard practice, forgotten pools and deprecated vaults will keep sitting there, waiting for someone to notice they're still live.
