Forgotten DeFi Contracts Emerge as Hidden Security Threat After Raydium Hack

A recent exploit targeting Raydium’s discontinued AMM V3 program has exposed a critical blind spot in decentralized finance security: abandoned smart contracts that remain active on-chain long after teams and users have moved on.

The attack drained approximately $1.34 million from five liquidity pools that were part of a phased-out program no longer supported by Raydium’s user interface or software development kit. While current users couldn’t even access these pools through official channels, the underlying smart contracts remained live on Solana’s blockchain—creating an invisible attack surface that security teams had effectively stopped monitoring.

The lifecycle problem plaguing DeFi infrastructure

The incident highlights a systemic issue across the DeFi ecosystem: protocols regularly launch new versions and upgraded contracts, but rarely sunset their predecessors properly. These legacy contracts often retain value deposited by users who either forgot about their positions or lack the technical knowledge to migrate manually. For attackers, they represent low-hanging fruit—outdated code that receives minimal security attention while still holding real assets.

Industry observers note this isn’t an isolated case. Dozens of major DeFi protocols have deprecated earlier contract versions over the past two years, from Uniswap’s V2 to various lending platforms’ initial deployments. Many of these legacy systems continue processing transactions and holding user funds despite being absent from official documentation and interfaces.

Market implications and the path forward

The Raydium incident raises uncomfortable questions about DeFi’s long-term security model. Unlike traditional finance where systems can be forcibly shut down, blockchain immutability means deployed contracts exist permanently unless explicitly designed with sunset mechanisms. As the sector matures and protocols iterate faster, the volume of forgotten but vulnerable infrastructure will only grow—potentially creating a expanding buffet for sophisticated attackers who track deprecation cycles more carefully than the projects themselves.

Security experts are now calling for industry-wide standards around contract lifecycle management, including mandatory migration windows, automated fund sweeps, and clear deprecation protocols that treat legacy code as the critical security liability it has become.

Based on reporting by the original source.