Legacy DeFi contracts are becoming a growing concern for decentralized finance (DeFi) platforms. A recent exploit on Raydium's AMM V3 pools drained $1.34 million from legacy infrastructure that was no longer supported by the platform's user interface or software development kit (SDK).
The attack targeted five pools outside of the current product path, which were still callable on-chain despite being phased out. This highlights a lifecycle-management failure that extends beyond Raydium and has been observed in at least eight other DeFi contracts since March 2025.
The total losses from these incidents amount to around $10.8 million, but this figure jumps to approximately $22.5 million when including broader legacy-vault and legacy-product failures. The issue is not just with technical vulnerabilities, as many of the exploited contracts were already deprecated or obsolete.
Exploit trackers often classify incidents by technical mechanisms such as smart contract bugs or access control failures. However, zombie contracts - which are legacy DeFi contracts still callable after retirement - represent a different axis and are often missed in these classifications.