BlockThreat - Week 24, 2026

More than $42M was stolen across 15 incidents with the largest loss coming from the $36M hack of Humanity Protocol where multiple multisig keys were exposed on a single compromised laptop. The incident is now suspected to involve DPRK which has been relatively quiet last month after a series of brazen hacks in April. Beyond the headline loss, let's discuss an attack pattern which I warned about during last year's The State of DeFi Security at DSS.

Old Code, Fresh Loot

For months, I have been tracking threat actors quietly exploiting old contracts, half-retired pools, and vulnerabilities that were patched in one place but never fully applied across the whole protocol. This week, the pattern became much harder to ignore with 5(!) older smart contracts exploited within days of each other. Two incidents make the point especially well:

Raydium lost approximately $1.34 million on June 10 after an attacker found a function parameter validation bug and drained five deprecated liquidity pools in its legacy AMM V3 program. These were older pools tied to the long-defunct Serum order book integration and had been inactive since 2021. Unfortunately, enough value was left behind to make them worth exploiting.

Aztec Connect tells a similar story. The protocol had been deprecated years earlier, but its contracts still held assets. The exploit abused a mismatch between transaction verification and settlement logic to create unbacked balances and drain $2.19 million. You can find a complete write-up in the Hacks section below.

The lesson is that attackers do not need to target the current, high security contracts in the protocol when there is still plenty of value left behind in older infrastructure. These forgotten deployments have fallen behind the continuously evolving security practices applied to newer contracts.

Some takeaways:

• Defenders should treat old contracts as part of the live attack surface until they are no longer economically relevant.
• Defenders should ensure that each vulnerability triggers a protocol-wide hunt for older deployments and abandoned integrations that may be affected.
• Auditors and bug bounty hunters should learn from what attackers are already doing and remember to look at long forgotten contracts legacy integrations, and old versions where security assumptions may be weaker and value may still remain.

Paid subscribers this week will also learned about multiple consensus vulnerabilities in major blockchains and one exploited infinite mint vulnerability, my favorite security talks from ETH Prague 2026, a couple of fantastic bounty tracking and reputation resources essential for bug hunters out there, hard-core vulnerability write ups from the likes of Trail of Bits, ZKSecurity, Zero Cool, and others and of course post-mortems and write ups for every single exploit this week so you may learn their lessons and never repeat them again including Humanity Protocol, Top Token, MILC bridge, Pactus Chain, Haedal, and others.

If a BlockThreat subscription would meaningfully support your learning, research, protocol, or public goods work, you may be eligible for a community-sponsored account.

Apply Here

Let’s dive into the news!