Raydium Hack Shows How Old DeFi Contracts Can Still Put Funds at Risk

3h ago•

bullish:

bearish:

This article was first published on The Bit Journal.

A $1.34 million exploit on a Solana based exchange, Raydium, has raised concerns about a security problem that many DeFi protocols somehow ignore, and this involves old DeFi contracts.

Although the Raydium hack did not affect anyone who is currently using the platform or its live products, it has shown how old code can remain live online for years, providing a way in for attackers, even after the platform has moved on to newer systems.

Raydium confirmed that hackers had siphoned off about $1.34 million from 5 old AMM V3 liquidity pools that had been phased out as far back as 2021. These pools had been gradually replaced by newer ones since then.

The attacker exploited about 150,177 RAY, 5,603 SOL, and 893,700 USDC. Raydium said affected users would get their losses back from their treasury.

How the Raydium Hack Went Down

According to Raydium, the vulnerability was in the older AMM V3 code. It lacked some checks that are now standard in its newer versions. This let an attacker get past the controls on the liquidity pool by creating a fake LP token.

Importantly, Raydium’s live products, interfaces, and active pools were not touched by the Raydium hack. The compromised pools hadn’t been accessible through the platform’s interface for years, but they still had some assets and remained operational on the blockchain.

Most exploit databases categorize attacks based on the technical cause like a smart contract bug, an access control failure, an oracle manipulation or a bridge vulnerability.

However, security researchers are increasingly identifying old DeFi contracts as a separate problem. When protocols deprecate products, they remove them from interfaces, and stop marketing them, but the underlying contracts often remain active. Attackers can continue interacting with those contracts even when developers and users have forgotten about them.

Over the past year and a half, public reports have linked similar incidents like that of the Raydium hack to platforms like 1inch, Abracadabra, Yearn, Transit Finance, Huma Finance, Renegade, and Scallop. In many cases, current products were secure but older contracts were the entry point for hackers.

Why Forgotten Infrastructure Keeps Getting Exploited

Live products get constant monitoring, security audits, bug fixes, and attention from the community. Old contracts on the other hand, often get none of that protection and hackers know this.

A contract lying dormant with millions of dollars can be an attractive target because it receives much less scrutiny than the up-and-running infrastructure.

In the case of the Raydium hack, the assets had been left sitting in old pools which were no longer part of their product strategy.

According to experts, this creates a kind of ‘zombie contract’ situation where the code is effectively dead from a product perspective but still technically alive.

DeFi Security Problems Are Getting More Complicated

April 2026 was one of the worst months on record for DeFi security with approximately $635 million lost in 28 separate hacks.

While many high-profile hacks get all the attention, it is often the smaller incidents that expose a different kind of problem that is more insidious. Most of these incidents aren’t the result of extremely clever hacking techniques but rather operational oversights that occur when protocol upgrades or migrations aren’t done properly.

As DeFi matures, protocols accumulate years of deployments, upgrades, vaults, reward systems, liquidity pools, and integrations. Each expanding the potential attack surface.

Why Decommissioning May Become a Security Requirement For DeFi Protocols

The Raydium hack has a lot of DeFi developers rethinking how protocols deal with old infrastructure.

Security experts are now saying that decommissioning should involve more than documentation updates. Retired contracts could need assets removed, permissions revoked, certain functions paused and ongoing monitoring put in place where necessary.

Raydium’s decision to cover the losses from its treasury also reveals another reality that even when users aren’t directly affected, older vulnerabilities can still leave financial liabilities for the protocol.

For investors, a protocol’s security profile isn’t just about the current state of the codebase any more, older deployments now matter too

Conclusion

The verdict is that old DeFi Contracts could pose major security challenge as the DeFi industry gets older.

Apart from securing their current products, protocols now have to start thinking about all the infrastructure they built up over the years, scattered across multiple chains, versions and ecosystems.

Raydium’s loss of $1.34 million will probably be remembered for showing that old code can still be a live risk even years after it was retired.

Glossary

AMM (Automated Market Maker): A decentralized trading system that uses liquidity pools instead of traditional order books.

LP Token: This token is what represents a user’s share of assets in a liquidity pool

Smart Contract: A self-executing piece of code that runs on a blockchain.

DeFi: These are decentralized finance applications that operate without traditional financial middlemen.

Treasury: Funds controlled by a protocol and often used for development, incentives or reimbursements.

Frequently Asked Questions About Raydium Hack

What happened in the Raydium hack?

An attacker found a vulnerability in Raydium’s old AMM V3 program and drained it of roughly $1.34 million, from five inactive liquidity pools.

Were Raydium’s current users affected?

No. Raydium said all the current users were safe. The hack was limited to the old AMM V3 program and didn’t affect any of the active users.

What are Legacy DeFi Contracts?

These are older smart contracts that have been retired from active use but are still running on the blockchain. Basically , old code that still has assets and access that could be exploited.