Legacy DeFi contracts: Raydium $1.34M AMM V3 drain

Raydium suffered a $1.34M exploit tied to legacy DeFi contracts—deprecated AMM V3 pools that stayed callable on-chain even after protocol migration. The attacker drained funds from five pools outside Raydium’s current UI/SDK path, using a legacy program that skipped key mint and proportion checks. Reported balances included ~150,177 RAY, ~5,603 SOL, and ~893,700 USDC. The broader takeaway for traders is that “legacy DeFi contracts” can behave like a persistent attack surface. CryptoSlate cited at least eight similar legacy-contract incidents since March 2025, totaling about $10.8M in losses; expanding definitions lifts estimates to roughly $22.5M across around ten incidents. Examples include: - 1inch (Fusion v1 resolver, ~Mar 2025): ~$5.0M - Abracadabra (Cauldron V4, ~Oct 2025): ~$1.8M - Yearn (legacy iEarn TUSD vault, ~Dec 2025): ~$0.3M - Transit Finance (deprecated TRON contract, ~May 2026): ~$1.88M - Huma Finance (deprecated V1 BaseCreditPool on Polygon, ~May 2026): ~$0.101M - Renegade (legacy V1 Arbitrum deployment, ~May 2026): ~$0.209M - Scallop (deprecated rewards contract): ~$0.14M CryptoSlate argues most exploit databases miss this “lifecycle” failure mode, where retired-by-product code is not decommissioned technically. It recommends decommissioning controls: draining idle legacy assets, pausing callable functions, verifying old LP mints/permissions, monitoring legacy deployments, and clarifying treasury liability.
Bearish
This news highlights a recurring DeFi failure mode: legacy DeFi contracts that are “retired” in product terms but remain callable on-chain. Historically, such incidents tend to increase risk premiums across DeFi, especially for liquidity providers and integrators who may still interact with old pools, approvals, or reward/vault logic. Raydium’s ~$1.34M drain is not isolated—CryptoSlate links a pattern of multiple legacy-contract exploits since 2025 with multi-million-dollar losses. Short-term, traders may price in higher tail-risk for DeFi tokens and protocols associated with older code paths (even when the current UI/SDK is “safe”), leading to weaker sentiment and more conservative liquidity behavior (wider spreads, lower risk-taking). Long-term, the market could gradually re-rate protocols that demonstrate strong decommissioning controls (draining, pausing, monitoring, and clear treasury liability), while protocols with unclear retirement processes may see persistent valuation discounts. Overall, because the issue is structural (lifecycle governance and decommissioning), it’s more likely to pressure sentiment than to be a one-off event—hence a bearish bias.