Author: ZeroDrift

Key Points

• DxSale is the most severe case of loss, with attackers stealing approximately $7.3 million.
• The issue lies not in a specific vulnerability, but in the incomplete decommissioning of old contracts, which still retain economic value and operational permissions.

According to an analysis published by ZeroDrift on June 22, 2026, attackers have stolen approximately $16.9 million from five smart contracts that have been deprecated but still operate on-chain over the past 40 days.

The so-called "deprecated contracts" do not equate to "inactive contracts." Many contracts, although no longer actively developed and maintained by the team, remain deployed on-chain and can receive funds, execute transactions, or move assets. As long as there are still funds, authorizations, or callable entry points, they remain targets for attacks.

These incidents occurred primarily between May 7, 2026, and June 15, 2026. TrustedVolumes lost approximately $5.87 million, Huma Finance V1 pool lost approximately $101,000, DxSale V1 Locker lost approximately $7.3 million, Raydium Legacy AMM pool lost approximately $1.34 million, and Aztec Connect lost approximately $2.28 million in two consecutive attacks.

Figure: Cumulative losses from five incidents related to deprecated contracts within 40 days. Source: ZeroDrift / X.

Contracts that no one is watching may still hold funds

The case of DxSale is particularly typical. Its old locker contract was originally used for long-term liquidity locking, ensuring that funds would not be withdrawn before the agreed term. However, the risk of such systems arises from their intended design: they are meant to securely hold value over the long term.

As time passed, the team's attention shifted to new products, monitoring rules weakened, maintenance personnel changed, and old permission pathways and historical assumptions were gradually forgotten. ZeroDrift pointed out that in the DxSale incident, an old control pathway became accessible again, leading to liquidity that should have been locked being withdrawn.

The five incidents are not a repeat exploitation of the same vulnerability. They occurred across different systems, architectures, and chains, involving different components such as RFQ settlement, credit pools, LP lockers, AMMs, and rollup exits.

What is fundamentally the same is the underlying state: these contracts are no longer a primary development focus for the team, yet they still retain economic value on-chain.

Automated analysis is amplifying the risks of old contracts

Old contracts are naturally suitable for automated tools to search: the code is public, the on-chain history is complete, monitoring is weak, and they often retain outdated security assumptions. In the past, systematically searching for these long-tail targets required significant manual costs; now, code similarity searches, transaction simulations, on-chain data analysis, and AI-assisted reviews are reducing the search costs for such targets.

ZeroDrift also emphasized that there is currently no public evidence indicating AI involvement in these five specific attacks. What is truly concerning is the change in the cost structure: attackers are increasingly able to systematically scan "yesterday's products," while defenders have not managed "yesterday's responsibilities" in the same systematic way.

The DeFi security industry has developed a relatively mature auditing process for new launches, but contract exits, migrations, and decommissioning still lack equally strict discipline. A contract does not automatically become secure just because the team stops maintaining it. It only counts as truly retired when funds, permissions, authorizations, entry points, and trust assumptions are all removed.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。