ICYMI: A hacker turned roughly $2,600 into more than $263,000 by exploiting an old Polygon-based smart contract.
Not by breaking @0xPolygon.
Not by hacking private keys.
Not by draining user wallets.
Instead, they found a flaw in a forgotten "legacy" royalties contract that was still live on-chain.
According to security researchers, the attacker used a flash loan and manipulated the contract's reward accounting logic, allowing them to artificially inflate rewards and withdraw far more than they should have been able to.
The result? A profit of around $261,000 in a single transaction.
What's alarming is that this wasn't a new protocol.
It was an old contract.
A reminder that in crypto, code doesn't disappear just because a project moves on.
Many older contracts remain active for years, often holding funds and permissions long after teams stop paying attention to them.
This is why security experts keep warning about "zombie contracts"—outdated smart contracts that quietly sit on-chain until someone discovers a vulnerability.
The biggest threats in DeFi aren't always the newest protocols.
Sometimes they're the forgotten ones.
This is a reminder that if you have money deposted into one of these @Morpho Alpha vaults, you may need to run some script to withdraw your funds once any borrower repays.
The collaterals backing these money are $msY, $AVLT, and $AZND. All of these "stable" assets are under depeg or great selling pressure.
NFA, DYOR.