An attacker exploited an outdated smart contract on the Polygon blockchain, draining about $261,200 in cryptocurrency, according to blockchain security firm TenArmorAlert. The incident, detected on June 23, is the latest example of how vulnerabilities in older decentralized finance infrastructure can still expose funds to theft.
Posting on X, TenArmorAlert said the attacker targeted a legacy Royalties contract and used the flaw to generate a payout worth roughly $263,800 from an initial transaction involving about $2,600 in USDC.e. Blockchain records show the exploit was carried out in a transaction included in Polygon block 89,018,051.
Flawed reward logic enabled massive payout
TenArmorAlert said it detected the suspicious transaction shortly after it took place and linked the attack to a weakness in the contract’s reward system.
According to security firm CertiK, the attacker exploited that flaw by carrying out a series of zero-value transfers that manipulated the contract’s reward records. The issue was tied to a function known as Royal1155LD.beforeLdaTransfer(), which allowed token balances to be artificially increased under specific conditions.
By inflating those balances, the attacker was able to claim a much larger share of rewards than intended. Blockchain data shows the attacker deposited about $2,638 in USDC before withdrawing roughly $263,800 from the contract.
Defimon Alerts, citing parallel analysis from DecurityHQ, said the exploit stemmed from an error in the contract’s royalty accounting system. The flaw allowed rewards to be calculated using exaggerated ownership figures, leading to an oversized payout.
Security researchers said the attacker also used a flash loan to execute the exploit. After repaying the borrowed funds within the same transaction, the attacker walked away with the remaining funds as profit.
Older Web3 contracts remain attractive targets
The incident marks the latest in a string of precision security lapses hitting older decentralized applications.
Last month, older contracts linked to Huma Finance were exploited in an attack that resulted in losses of about $101,400. The company later said no user funds were affected and that its newer V2 platform operates separately on Solana.
INK Finance also disclosed a breach involving its Workspace Treasury Proxy deployment on Polygon. The incident resulted in the loss of roughly $140,000 in USDT, according to the project.
Separately, blockchain investigator ZachXBT flagged a suspected security breach affecting Polymarket. The incident reportedly led to more than $520,000 being drained from two contracts connected to the prediction market platform.
The recurring wave of attacks has renewed industry-wide warnings regarding the persistent risks tied to “zombie contracts,” historical Web3 code blocks that remain active and capitalized on-chain long after project teams transition to newer, upgraded iterations.
Security protocols advise development teams to systematically audit, pause, or completely strip unused permissions from legacy deployments, migrating lingering collateral into actively maintained architectures. Core developers confirmed there is zero indication that Polygon’s primary consensus network or layer-2 security rails were compromised during the exploit.
Also Read: US Jails Man Behind $1.4M Fake Crypto Influencer Operation
