Legacy Contracts Haunt DeFi as Exploits Drain Millions

The DeFi ecosystem has been plagued by a series of exploits that have drained millions of dollars from legacy contracts and infrastructure. A recent incident involving Raydium's AMM V3 pools saw $1.34 million drained, but this is just the tip of the iceberg.

According to CryptoSlate, at least eight clear cases since March 2025 have been identified where deprecated, obsolete, or legacy DeFi contracts became the attack surface, totaling roughly $10.8 million in losses. When including broader legacy-vault and legacy-product failures, the count rises to about ten incidents and $22.5 million.

The problem lies in the way protocols treat decommissioning, often leaving retired contracts callable on-chain without proper monitoring or maintenance. This creates a 'graveyard' of vulnerable infrastructure that attackers can exploit.

Experts argue that high-impact incidents frequently involve exploit chains spanning human, operational, economic, lifecycle, and governance layers. They propose a four-tier root-cause framework to address these failures, which includes treating lifecycle and governance failures as a distinct category alongside implementation errors.