A critical vulnerability within Raydium's V3 Automatic Market Maker system recently triggered a $1.34 million loss, exposing a latent threat within the decentralized finance infrastructure. The breach targeted five specific fund pools that were unsupported by the current user interface or software development kit, rendering them invisible to ordinary users yet fully accessible to malicious actors. This attack vector focused on outdated contracts and underlying infrastructure that had fallen outside the scope of standard industry attention, revealing profound deficiencies in smart contract lifecycle management. Woofun AI reports that such oversights are not isolated to this single decentralized exchange but represent a broader systemic failure within the Solana ecosystem. Publicly available security incident data indicates that since March 2025, at least eight distinct attacks have leveraged abandoned or obsolete contracts, accumulating total losses of approximately $10.8 million. When including incidents driven by outdated fund pools and legacy supporting products, the count rises to ten cases, with aggregate damages reaching $22.5 million.

Current industry security tracking platforms predominantly categorize attacks based on technical vectors such as smart contract code flaws, permission control failures, oracle manipulation, private key compromises, and cross-chain bridge defects.

However, zombie contracts—those officially discontinued by a project but remaining callable on-chain—constitute a distinct risk category often omitted from conventional vulnerability statistics. The root cause of the Raydium V3 vulnerability lay in the official shutdown of the Serum project, upon which these pools relied, leaving the old contracts functionally obsolete while liquid assets remained idle on the chain. While Raydium's current contract architecture employs a dual-layer verification system checking asset distribution via total quantity mechanisms and validating minting addresses, the legacy V3 contracts completely lacked these safeguards. Woofun AI notes that attackers exploited this architectural gap to mint new liquid tokens, using them as legitimate credentials to bypass all existing risk control measures.

The specific assets compromised in this incident included approximately 150,177 RAY tokens, 5,603 SOL tokens, and 893,700 USDC tokens. These funds had resided in the platform's legacy pools for extended periods; although they were no longer integral to main business operations, their on-chain call permissions had never been revoked. Since 2025, numerous prominent DeFi projects have faced similar challenges with legacy contracts, following a consistent pattern where project owners assert that active users remain unaffected while the project treasury absorbs the full financial impact. Most existing security classification systems prioritize attack methodologies and code flaws, adopting a technology-centric analysis that obscures the true nature of lifecycle management failures. The core issue is not a coding error but a failure to properly decommission old contracts.

A research paper published in 2025 analyzed 50 major global crypto security incidents between 2022 and 2025, which resulted in total losses exceeding $1 billion. The study concluded that highly destructive on-chain attacks often stem from a convergence of risks involving human operations, daily maintenance, economic models, contract lifecycle management, and community governance. The authors proposed a four-tier root cause analysis framework to distinctly separate vulnerabilities in contract lifecycle management from coding errors and governance failures. Despite this, existing security statistics continue to misclassify zombie contract incidents under 'coding vulnerabilities,' burying the corresponding loss data within other categories and preventing the industry from addressing the root cause. Woofun AI analysis suggests that failing to recognize this distinction allows the 'contract graveyard' to remain a fertile ground for exploitation.

If DeFi projects continue to treat contract shutdown as a trivial administrative task, merely annotating documentation without technically disabling functions or removing idle assets, hackers will persist in targeting these forgotten facilities. Historical deployment records of major DeFi projects have effectively become accessible and exploitable targets. The reported $22.5 million in losses represents only publicly disclosed incidents, implying the actual risk exposure is significantly higher. Legacy fund pools holding assets outside the mainstream user experience, historical authorization interfaces, and early collaboration modules receive minimal operational monitoring compared to active business systems, making them ideal targets. To mitigate this, the industry must classify zombie contracts as a separate risk category and track related incidents independently.

Furthermore, the contract shutdown process must be integrated into standardized security procedures with the same rigor as code audits.

Currently, most industry participants handle these breaches similarly, with Raydium utilizing its project treasury to cover the $1.34 million loss, while Transit Finance and Huma Finance also saw project owners bear user losses. This trend confirms that shutting down contracts is no longer a matter of documentation but an essential security imperative. Merely marking a contract as discontinued in product documentation shifts the security risk to the treasury without eliminating the attack surface. If a contract is announced as shut down at the product level but remains technically callable, it stays vulnerable to exploitation if the team fails to monitor it. The value of DeFi projects extends beyond current locked assets to the historical code and infrastructure built over time, yet this forgotten history has now emerged as a primary source of security vulnerabilities.