The Cryptocurrency Post The CryptocurrencyPost
AboutContact
Polygon News

Legacy Royalties Contract on Polygon Exploited for $261,000

Photorealistic Polygon backdrop: cracked legacy contract icon, shadowy attacker inflating ownership, glowing DeFi ledger.

A legacy smart contract on the Polygon network was exploited on June 23, resulting in a loss of approximately $261,200 in USDC. The incident targeted outdated infrastructure associated with the music NFT platform Royal, specifically a contract used for distributing streaming royalties through Limited Digital Assets (LDAs).

According to security firm CertiK, which tracked the activity via its Skynet Pulse monitoring service, the attacker utilized a logic error to drain the funds. The exploit involved a “reward logic flaw” that allowed the attacker to artificially inflate their ownership records and claim a payout roughly 100 times larger than their actual entitlement.

The Attack Mechanism

Security researchers identified the root cause within the Royal1155LDA contract’s accounting system. An analysis by security expert Defi_Nerd_sec indicated that the vulnerability existed in the _beforeTokenTransfer function. The attacker reportedly executed 100 zero-value ERC1155 batch transfers, which corrupted the custom ownership accounting used to calculate royalty distributions.

The sequence of the exploit included:

  • The use of a flash loan to acquire an initial position in a specific tier of Limited Digital Assets.
  • Executing repeated zero-amount transfers to manipulate the contract’s internal settlement logic.
  • Stacking reward records to claim decentralized finance (DeFi) payouts that exceeded the intended pro-rata share.

Records show the transaction occurred at block height 89,018,051. After repaying the flash loan, the attacker realized a net profit of approximately $261,200 in USDC.e.

Status of Legacy Infrastructure

The incident highlights the persistent security risks associated with “zombie contracts”—historical code deployments that remain active on-chain even after a project has migrated to newer versions or updated its architecture. In this case, the exploit targeted an older iteration of the royalties distribution system rather than the current Royal ecosystem.

While the exploit resulted in a direct loss of funds from the legacy contract, there is no indication that the core Polygon network or its consensus mechanisms were affected. As of June 24, the Royal project had not released an official public statement regarding the status of the affected contract or whether it remains a part of its current operational infrastructure. Security firms continue to advise protocol teams to formally deprecate or pause unused legacy contracts to prevent similar draining events.