Hackers stole nearly $17 million in 40 days, 'zombie contracts' are becoming hackers' ATMs

Key Points

DxSale is the most severe case, with the attacker stealing approximately $7.3 million.
The issue is not a single vulnerability, but incomplete retirement of old contracts that still retain economic value and operational permissions.

According to an analysis published by ZeroDrift on June 22, 2026, over the past 40 days attackers have stolen approximately $16.9 million from five smart contracts that have been abandoned but are still running on-chain.

So-called "abandoned contracts" are not the same as "dead contracts." Many contracts, though no longer actively developed and maintained by their teams, remain deployed on-chain and can still receive funds, execute transactions, or move assets. As long as there are still funds, authorizations, or callable entry points inside, they remain targets for attack.

These incidents occurred between May 7 and June 15, 2026. TrustedVolumes lost roughly $5.87 million, the Huma Finance V1 pool lost roughly $101,000, the DxSale V1 Locker lost roughly $7.3 million, Raydium Legacy AMM pools lost roughly $1.34 million, and Aztec Connect lost roughly $2.28 million across two consecutive attacks.

Figure: Cumulative losses caused by five abandoned contract incidents within 40 days. Source: ZeroDrift / X.

Contracts Nobody Looks At Can Still Hold Funds

The DxSale case is particularly emblematic. Its old locker contract was originally designed to lock liquidity for the long term, ensuring funds could not be withdrawn before the agreed time. Yet the risk in such systems comes precisely from their design purpose: they are meant to custody value over extended periods.

Over time, team attention shifts to new products, monitoring rules weaken, maintenance personnel change, and old permission paths and historical assumptions are gradually forgotten. ZeroDrift notes that in the DxSale incident, an old control path became available again, allowing supposedly locked liquidity to be removed.

These five incidents are not repeated exploitation of the same vulnerability. They happened across different systems, different architectures, and different chains, involving components such as RFQ settlement, credit pools, LP lockers, AMMs, and rollup exits.

What is truly consistent is the underlying state: these contracts were no longer the focus of active development by their teams, yet still retained economic value on-chain.

Automated Analysis Is Amplifying Risks in Old Contracts

Old contracts are naturally suited for automated tool searches: their code is public, on-chain history is complete, monitoring is weaker, and they often retain outdated security assumptions. In the past, systematically finding these long-tail targets required significant manual effort; now, code similarity searches, transaction simulation, on-chain data analysis, and AI-assisted review are lowering those search costs.

ZeroDrift also stresses that there is currently no public evidence that AI was involved in these five specific attacks. What truly matters is the shift in cost structure: attackers find it increasingly easy to systematically scan "yesterday's products," while defenders have not yet systematically managed "yesterday's responsibilities."

The DeFi security industry has developed relatively mature launch audit processes, but contract exit, migration, and retirement still lack equally strict discipline. A contract does not become safe just because the team stops maintaining it. Only when funds, permissions, authorizations, entry points, and trust assumptions are all removed can it truly retire.