Five DeFi protocols were attacked due to old contracts still retaining funds, permissions, or callable entries. These contracts are no longer a priority for the team but continue to "live" on-chain.

Written by: Zerodrift

Key Points

• DxSale is the case with the most severe losses, with attackers stealing approximately 7.3 million dollars.
• The issue is not a specific type of vulnerability but rather that old contracts were not fully retired, still holding economic value and operational permissions.

According to an analysis released by ZeroDrift on June 22, 2026, attackers stole approximately 16.9 million dollars from five deprecated but still operating smart contracts in the past 40 days.

The so-called "abandoned contracts" are not the same as "invalid contracts." Many contracts, while no longer actively developed and maintained by the team, are still deployed on-chain, capable of receiving funds, executing transactions, or moving assets. As long as they still have funds, authorizations, or callable entries, they remain potential attack targets.

These incidents concentrated between May 7 and June 15, 2026. TrustedVolumes lost approximately 5.87 million dollars, Huma Finance V1 pool lost about 101,000 dollars, DxSale V1 Locker lost about 7.3 million dollars, Raydium Legacy AMM pool lost about 1.34 million dollars, and Aztec Connect lost approximately 2.28 million dollars in two consecutive attacks.

Figure: Cumulative losses from five incidents related to abandoned contracts within 40 days. Source: https://x.com/ZeroDriftSec/status/2069005393972670521

Contracts no longer being monitored may still control funds

The case of DxSale is particularly typical. Its old locker contract was originally used to lock liquidity long-term, ensuring that funds would not be withdrawn before the agreed period. However, the risk with such systems arises from their design intent: they are meant to safeguard value over the long term.

Over time, the team's focus shifted to new products, monitoring rules weakened, maintenance personnel changed, and old permission pathways and historical assumptions were gradually forgotten. ZeroDrift pointed out that in the DxSale incident, an old control pathway became available again, leading to the liquidity that should have been locked being withdrawn.

The five incidents were not the reuse of the same vulnerability. They occurred in different systems, different architectures, and on different chains, involving different components such as RFQ settlement, credit pools, LP lockers, AMMs, and rollup exits.

The underlying similarity lies in the status: these contracts are no longer the active development focus of the team but still retain economic value on-chain.

Automated analysis is amplifying the risks of old contracts

Old contracts are inherently suitable for search by automated tools: the code is open, the on-chain history is complete, monitoring is weak, and they often retain outdated security assumptions. In the past, systematically searching for these long-tail targets required significant manual costs; now, code similarity searches, transaction simulations, on-chain data analyses, and AI-assisted reviews are reducing such search costs.

ZeroDrift also emphasizes that there is currently no public evidence indicating that AI was involved in these five specific attacks. What is truly concerning is the change in cost structures: attackers are finding it increasingly easy to systematically scan "yesterday's products," while defenders have yet to manage "yesterday's liabilities" with the same level of systematization.

The DeFi security industry has established a relatively mature on-boarding audit process, but contract exit, migration, and retirement still lack equally strict disciplines. A contract does not automatically become safe just because the team stops maintaining it. Only when funds, permissions, authorizations, entries, and trust assumptions are all removed can it be considered truly retired.