DeFi teams obsess over the next smart contract exploit.
But what if the bigger threat is code everyone forgot exists?
The recent Raydium exploit exposed a growing security blind spot across DeFi: zombie contracts.
Hackers drained roughly $1.34M from abandoned V3 AMM liquidity pools that were no longer part of Raydium's active product suite.
The pools weren't supported by the UI, weren't integrated into current workflows, and had effectively been forgotten.
The problem were still live on-chain.
A contract doesn't stop being attackable just because a protocol stops talking about it.
According to public security reports, at least 8 confirmed exploits since 2025 have targeted deprecated or abandoned contracts, generating more than $10.8M in losses.
When broader legacy infrastructure incidents are included, losses rise to approximately $22.5M.
What's interesting is that most of these incidents aren't really being discussed as a separate risk category.
They're usually filed under "smart contract vulnerabilities."
But the root cause is often different.
The issue is flawed contract lifecycle management.
Raydium's deprecated V3 architecture lacked validation mechanisms found in newer versions.
Attackers exploited those missing safeguards by creating fake liquidity tokens and presenting them as legitimate LP assets, ultimately draining idle funds that had remained trapped inside forgotten pools.
The pattern is becoming familiar across DeFi:
• Product gets deprecated.
• Users migrate elsewhere.
• Legacy contracts remain active.
• Monitoring decreases.
• Attackers discover the opportunity.
• Treasury absorbs the damage.
Nobody using the current product gets affected.
Yet the protocol still pays the bill.
This is why "deprecated" should never be treated as a security status but a documentation status.
If a contract still holds assets, accepts calls, maintains permissions, or interacts with other systems, it remains part of the protocol's attack surface regardless of whether users can access it through the front end.
Every major DeFi protocol now carries years of historical deployments, legacy integrations, retired modules, dormant liquidity pools, and old permission structures.
Those forgotten pieces of infrastructure are quietly becoming some of the most attractive targets in crypto.
The next wave of DeFi security will not be about finding bugs in new code.
It will be about eliminating risk hidden inside old code.
Because on-chain, forgotten doesn't mean gone.
