DeFi investors were handed a sharp reminder this week that in the world of blockchain, “decommissioned” does not always mean “gone.” On June 10, 2026, the popular Solana-based decentralized exchange Raydium fell victim to a sophisticated exploit that drained approximately $1.34 million from its ecosystem. While the incident was contained to legacy pools no longer featured on the platform’s main interface, the attack highlights a growing, overlooked danger in decentralized finance: the risk posed by “ghost” smart contracts that remain active on the network long after they have been retired.
By Priya Sharma | June 12, 2026
The Incident: A Targeted Strike on Legacy Code
The attack, which occurred in the early hours of June 10, was not a result of a flaw in the current, active version of Raydium that most users interact with today. Instead, it was a surgical strike against Legacy AMM V3 pools—automated market maker contracts that had been deprecated since 2021. These contracts, effectively functioning like empty, forgotten storage units, still held significant liquidity in assets like USDC, RAY, and wSOL. The vulnerability persisted because while the pools were removed from the official front-end website, the underlying smart contracts were never formally decommissioned or “killed” on the Solana blockchain itself.
Because these pools had long been removed from the official Raydium website and user interface, most investors had moved their funds to newer, updated pools. However, the legacy contracts remained live and interactable for anyone who knew how to call the program directly on-chain. An attacker was able to identify this forgotten liquidity, leverage a logic flaw within the outdated code, and siphon the assets out into their own wallet with relative ease, as these contracts were no longer being actively monitored by the protocol’s security infrastructure. This incident underscores that in the decentralized landscape, visibility on a front-end is not the same as security, and “deprecated” code on a blockchain remains an active, permanent vulnerability unless it is explicitly and permanently neutralized.
Technical Post-Mortem: The ‘Forged LP Token’ Flaw
At the heart of the exploit was a clever “forged LP token attack.” In DeFi, LP (Liquidity Provider) tokens act like a claim ticket at a coat check; they prove how much of a shared pool belongs to you. Normally, a protocol checks that your claim ticket is genuine before letting you withdraw your share.
In the deprecated Raydium V3 contracts, the security checks were insufficiently robust. The attacker essentially “forged” these digital claim tickets. Because the contracts were old and not subject to the same rigorous oversight as modern deployments, they lacked the validation mechanisms required to detect that these tokens were not authentic. By submitting these forged tokens, the attacker tricked the contract into “authorizing” the withdrawal of real, valuable assets. It was equivalent to someone walking into a bank with a fake ID that the bank’s security system was too outdated to flag as fraudulent.
Governance Impact: From Oversight to Compensation
The response from the Raydium team was immediate, if not reactive. Upon discovery of the unauthorized outflows, the team confirmed that the exploit was isolated to the Legacy V3 pools and that all active, current-version liquidity pools remained safe. To address the fallout, the protocol has pledged to tap into its treasury to fully reimburse the affected users—a move designed to maintain user trust in the aftermath of the breach.
This incident is already triggering a shift in governance norms across the industry. Protocols are now under increased pressure to implement “protocol decommissioning” standards. It is no longer enough to simply “hide” old pools from a website; governance proposals are now favoring mandatory migration periods, where old contracts are systematically drained, migrated, and then programmatically disabled to ensure they can never be interacted with again. This shift marks a maturing of the sector, acknowledging that leaving old code live on-chain is akin to leaving a back door unlocked in a house you’ve already moved out of.
Long-Term Prognosis: Why Investors Should Care
The Raydium exploit is part of a larger, alarming trend in DeFi this quarter. Industry reports from CertiK and Chainalysis released this week indicate that Q2 2026 has seen approximately 70 separate exploits resulting in $746 million in stolen funds—nearly doubling the record for losses in a single quarter.
For the regular investor, this serves as a critical lesson in DeFi hygiene. Even if a protocol feels “safe” and reputable, you are still interacting with code that may have been written years ago. If you still have funds tied up in older pools, or if you are interacting with protocols that have undergone multiple version updates, it is time to check your wallet. Are your assets in the most current, audited version of the protocol, or are they sitting in an “old” contract that has been forgotten? As we’ve seen this week, your assets are only as secure as the last line of code that protects them—even if that code was “retired” half a decade ago.
The cryptocurrency market remains highly volatile. This article is for informational purposes only and does not constitute financial advice.
deprecated since 2021 and nobody thought to kill the contracts? $1.34m is honestly a low price for that level of negligence
0xPhantom is right, $1.34m is cheap. wait till someone hits a uniswap v2 pool with $50m in it. the reckoning is coming
the article says legacy pools but lets be real, Raydium UI was still routing some traffic through those contracts as recently as March. not exactly decommissioned
This is why I never leave liquidity in pools I am not actively monitoring. Ghost contracts sitting around with USDC and RAY is just asking for trouble.
^ same, pulled everything from Raydium V3 months ago. the front-end being gone means nothing when the contract is still live on-chain. basic opsec
honestly the scary part is how many other DEXes have the same problem. uniswap v2 pools are still sitting there with millions in them and nobody maintains that code anymore
Mira is right, but also some of these pools were yielding 15%+ APY. people knew the risk and stayed for the yield. feels a bit like blaming the victim to say they should have known
Solana teams really need a formal decommission process. you dont just hide the UI and call it done. revoke authority, migrate funds, then mark it dead.