Hackerlar Unutulmuş Akıllı Sözleşmeleri Çalıyor: Sadece 40 Günde 17 Milyon Dolar Çalındı

Instead of targeting new, well-protected protocols, hackers are increasingly attacking old, deprecated smart contracts that everyone has forgotten about. Over the past 40 days (from May 7 to June 15, 2026), attackers extracted nearly $17 million from contracts that were considered obsolete but remained live on-chain with real economic value.

This is not a series of isolated incidents — it’s a clear emerging trend. Deprecated contracts continue to hold funds, permissions, approvals, or operational authority long after teams have stopped maintaining or monitoring them.

Specific Incidents Over the Last 40 Days

Here are the five publicly documented cases that make up this ~$17 million total:

TrustedVolumes (Ethereum)

TrustedVolumes, a liquidity provider and market maker/resolver used by 1inch Fusion, was drained through a vulnerability in its custom RFQ swap proxy. The attacker bypassed an authorization boundary and accessed a code path that should never have been reachable by an untrusted caller.

Funds stolen included WETH, USDT, WBTC, and USDC. The stolen assets were later laundered through Tornado Cash and other mixers. 1inch clarified that its core protocol was not affected.

Huma Finance V1 Pools (Polygon)

Attackers exploited a logic bug in the credit-lifecycle management of deprecated V1 BaseCreditPool contracts. They performed unauthorized drawdowns, draining approximately 82,316 USDC + 19,075 USDC.e.

The pools were already in the process of being wound down. Huma Finance quickly paused the affected contracts, published a post-mortem, and confirmed that its V2 system on Solana and user funds in the current platform were unaffected.

DxSale V1 Locker (BNB Chain)

The largest loss in the period. Attackers drained over 1,400 legacy liquidity pools from the old V1 locker contract (deployed in 2021).

The exploit was enabled by an earlier ownership transfer of the locker contract (269 days prior) combined with privileged function abuse — the attacker reduced modification fees to 1 wei, reset lock timestamps, and performed batch withdrawals. The V2+ lockers remained safe.

Raydium Legacy AMM V3 (Solana)

Hackers exploited five deprecated liquidity pools in Raydium’s old AMM V3 program (phased out in 2021). The vulnerability was insufficient validation of LP token mint addresses.

The attacker created a fake SPL token mint, minted a counterfeit LP token, and called the legacy withdraw function to drain real liquidity. Raydium confirmed the incident and pledged to fully compensate affected users from its treasury. Current pools and users were not impacted.

Aztec Connect (Ethereum)

Two separate attacks on consecutive days targeted the deprecated Aztec Connect contracts (sunset in 2023). The contracts were immutable with admin keys already renounced.

Attackers exploited a flaw in proof verification logic (mismatch between ZK-proof validation and on-chain settlement/escape hatch mechanisms), draining trapped value that could no longer be paused or upgraded. Aztec Labs had no control over the contracts.

Here’s a summary table for quick reference:

What Projects Should Do: A Proper Smart Contract Retirement Process

Simply disabling the frontend or announcing that a contract is “deprecated” is not enough. A contract is only truly retired when value, permissions, and trust assumptions are completely removed.

Here’s what a proper retirement process should include:

1. Remove all value before removing attentionWithdraw every token, liquidity position, and reward. Give users clear migration instructions and incentives. No system should stop being monitored while it can still custody or move user assets.
2. Revoke all permissions and privilegesConduct a full inventory and revoke approvals, owner rights, signers, relayers, keepers, routers, and any administrative privileges. “We no longer use this contract” does not mean it can no longer move funds.
3. Implement monitoring for any activity (“resurrection” alerts)Set up alerts for new deposits into legacy pools, approvals to old spenders, unexpected balance changes, calls to dormant functions, and activity through forgotten privileged paths. Keep legacy contracts in bug bounty programs and security monitoring.
4. Have a clear plan for the “no-patch” scenarioIf a contract is immutable or admin keys have been renounced, you cannot pause or upgrade it. In such cases, strengthen migration incentives, provide clear risk disclosures, and prepare a ready-to-execute incident response playbook.

Final Takeaway

The next major DeFi loss may not come from a shiny new feature. It may come from a contract a team already announced was old, and then left economically alive on-chain.

Security teams have become very good at reviewing launches. The next discipline the industry needs is reviewing exits.

Until proper contract retirement becomes standard practice, legacy contracts will remain one of the easiest and most attractive targets for attackers.