defirisk.co
rubric v1.7.0

New ERC-20 approval to unverified contract from whale

A real-time signals factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when a whale or high-TVL user (defined as a wallet with a protocol balance in the top 10% by value) grants a new ERC-20 approval to an unverified contract that is interacting with the monitored protocol. The signal is generated by monitoring approval events from high-value wallets and cross-referencing the approved contract address against Etherscan/Sourcify verification status. Category 6 context: malicious approval harvesting targeting high-value users is a documented attack pattern — the Badger DAO incident demonstrates that a 12-day window of malicious approvals being granted went unnoticed.

**Why it matters** Badger DAO ($120M, 2021) is the clearest example: malicious increaseAllowance() calls granting the attacker's address unlimited approval from high-value user wallets began approximately 12 days before the drain, and a user flagged unusual approvals before the hack occurred. The attack would have been detectable if high-value wallet approvals to unverified contracts were monitored. Similarly, Compounder Finance showed that malicious Strategy contracts were deployed and approved through a Timelock before the rug. Monitoring new approvals from whale wallets to unverified contracts provides a meaningful detection window.

**Green / Yellow / Red** Green is the baseline when no high-TVL user has granted a new approval to an unverified contract in the trailing 72 hours. Yellow fires when a new approval is granted to an unverified contract by a high-TVL user but the contract is newly deployed and may simply be unverified for benign reasons. Red fires when multiple high-TVL users grant approvals to the same unverified contract within a short window, particularly if the contract is not associated with any known legitimate protocol interaction.

**Common gray cases** Gray applies on chains where contract verification rates are low and unverified approvals are common in normal operations, or when the approval is to a known-protocol contract that happens to be deployed on a chain without full verification.

**Notable historical examples** - **Badger DAO** ($120M, 2021): Malicious increaseAllowance() calls from high-value users granting unlimited approval to attacker address; visible 12 days before the drain. - **Compounder Finance** ($12M, 2020): Malicious Strategy contracts deployed and approved through Timelock before rug; approvals were visible on-chain.

Measurement what to look for #

Detect whether a top-TVL depositor grants a new token approval to an unverified contract that interacts with this protocol.

Data & output #

Data source
Mempool `Approval` event stream + Etherscan verification status check + protocol TVL whale list
Output format
Green / Yellow / Red
Evidence artifact
Approval tx hash + approving wallet + approved contract address + verification status
Confidence signal
green = signal not firing; red = approval granted to unverified contract; gray = whale list or monitoring not configured

Scored protocols 80 carry this factor #

Protocol RD-F-096
Aave v3 ethereum gray Across Protocol ethereum gray Aerodrome Finance base gray Axelar Network ethereum green Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum gray Beefy Finance ethereum gray BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum gray Chainlink CCIP ethereum gray Circle USYC binance not_applicable Compound V3 (Comet) ethereum gray Concrete ethereum gray Convex Finance ethereum gray crvUSD (Curve Stablecoin) ethereum gray Curve Finance ethereum not_assessed deBridge ethereum gray Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum gray Ethena ethereum green ether.fi ethereum green Euler V2 ethereum gray Falcon Finance ethereum gray Fluid ethereum not_assessed Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum gray Hyperliquid arbitrum gray Jito solana not_applicable Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron not_applicable Kamino Lend solana gray Kinetiq hyperliquid gray Lido ethereum gray Liquid Collective (LsETH) ethereum gray Liquity V1 + V2 (LUSD / BOLD) ethereum gray Lista DAO bsc gray Lombard Finance ethereum gray M^0 ethereum gray Maple Finance ethereum gray Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum not_assessed Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum gray Ondo Finance ethereum gray OpenEden ethereum gray Orca solana not_applicable PancakeSwap bsc not_assessed Pendle Finance ethereum not_assessed Polymarket polygon not_assessed QuickSwap polygon not_assessed Raydium solana not_assessed Rocket Pool ethereum gray Sanctum solana not_applicable Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum gray Spiko stellar not_assessed Stake DAO ethereum gray StakeWise v3 ethereum gray Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum gray Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum gray USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum gray Venus Protocol bsc not_assessed Wormhole ethereum gray Yearn Finance ethereum gray
0 red · 1 yellow · 4 green

Linked hacks 6 historical incidents #

illustrativePrismaFi — Flash Loan + Missing Input Validation (Migration Helper)2024-03-28 · $12M · Flash Loan + Missing Input Validation (Migration Helper) · New ERC-20 approval to unverified contract [via realtime_signals/Pre-exploit on-chain signals: Approval of MigrateTroveZap by a monitored address 5 days before attack; migration contract was newly deployed (past week)]
illustrativeDexible — Unvalidated router — selfSwap() transferFrom injection via approval drain2023-02-17 · $2M · Unvalidated router — selfSwap() transferFrom injection via approval drain · New ERC-20 approval to unverified contract [via realtime_signals/Pre-exploit on-chain signals: None identified — the attack harvested existing approvals with no preparatory on-chain footprint beyond the attacker being funded]
illustrativeTransit Swap — Controllable transferFrom() in unverified (closed-source) swap contract — approval drain2022-10-01 · $21M · Controllable transferFrom() in unverified (closed-source) swap contract — approval drain · New ERC-20 approval to unverified contract [via realtime_signals/Pre-exploit on-chain signals: Unverified (closed-source) contracts on a live swap aggregator; large-scale approval draining across multiple wallets simultaneously]
illustrativeCurve Finance (curve.fi frontend) — DNS nameserver compromise → malicious frontend injection → approval harvesting2022-08-09 · $575K · DNS nameserver compromise → malicious frontend injection → approval harvesting · New ERC-20 approval to unverified contract [via realtime_signals/Pre-exploit on-chain signals: Malicious approvals being granted to unverified contract; approval to `0x9eb5f8e...` by multiple wallets in quick succession]
illustrativeBadger DAO (Bitcoin-yield vaults on Ethereum) — Front-end injection (Cloudflare account compromise) → malicious `increaseAllowance()` approvals → vault token drain2021-12-02 · $120M · Front-end injection (Cloudflare account compromise) → malicious `increaseAllowance()` approvals → vault token drain · New ERC-20 approval to unverified contract [via realtime_signals/Pre-exploit on-chain signals: Y** — malicious `increaseAllowance()` calls granting attacker's address unlimited approval began ~12 days before the drain; a user flagged t...]
illustrativeCompounder Finance — Malicious Strategy Contracts — Backdoor Withdrawal (Insider Rug Pull)2020-12-02 · $12M · Malicious Strategy Contracts — Backdoor Withdrawal (Insider Rug Pull) · New ERC-20 approval to unverified contract [via realtime_signals/Pre-exploit on-chain signals: Y — the 7 malicious Strategy contracts were deployed and approved through the Timelock (24-hour delay) before the rug; these approvals were ...]
rubric_version v1.7.0 factor RD-F-096 category 6 carried 80 critical no