defirisk.co
rubric v1.7.0

Stale-approval exposure on deprecated router

A post-deploy hygiene & change mgmt factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor counts the number of active user approvals (ERC-20 allowances) granted to contracts that the protocol has officially deprecated — approval slots that remain open on deprecated router or protocol contracts and represent a residual drain vector even after the protocol formally retired those contracts. The count is derived by scanning allowance events against the deprecated contract address set and cross-referencing with the protocol's public deprecation announcements.

**Why it matters** Stale user approvals on deprecated contracts are a persistent post-deploy hygiene failure: once a user grants an ERC-20 approval, it remains active indefinitely unless explicitly revoked. When a protocol deprecates a contract without notifying users to revoke approvals, those approvals remain exploitable for as long as the admin keys for the deprecated contract are alive or unchecked. OKX DEX lost $2.7M when a deprecated TokenApprove contract's admin key was compromised — thousands of users had never revoked their approvals because the protocol had not communicated the need to do so. Hacken HAI's $170K loss followed a similar pattern where a decommissioned bridge minter key retained credential authority over contracts that users had not revoked.

**Green / Yellow / Red** Green is assigned when the protocol has sent user communications about approval revocation for deprecated contracts, and the count of active approvals to deprecated contracts has fallen to near zero. Yellow covers cases where deprecation was announced but revocation guidance was not prominently communicated, leaving a moderate tail of open approvals. Red is assigned when a protocol has deprecated contracts with material numbers of outstanding user approvals and no revocation guidance or technical enforcement (e.g., a forced-revoke migration) has been deployed.

**Common gray cases** This factor is grayed when the protocol has never deprecated any contracts, or when the allowance scanning infrastructure cannot cover the relevant chain within the assessment window.

**Notable historical examples** - **OKX DEX** ($2.7M, 2023): Deprecated TokenApprove contract retained active user approvals; admin key compromise allowed drain of those approvals. - **Hacken ($HAI token)** ($170K, 2025): Decommissioned bridge minter key retained authority over approval surfaces that had not been revoked.

Measurement what to look for #

Count the number of active user approvals (ERC-20 `allowance`) to deprecated router or protocol contracts.

Data & output #

Data source
On-chain `Approval` event log for deprecated contract addresses via subgraph or Etherscan token-approvals API
Output format
Green / Yellow / Red
Evidence artifact
Deprecated contract addresses + approval count + total approved value USD estimate
Confidence signal
green = 0 active approvals to deprecated contracts; yellow = <100 approvals or <$1M total approved value; red = ≥100 approvals or ≥$1M total approved value; gray = deprecated contract addresses not identified

Scored protocols 79 carry this factor #

Protocol RD-F-168
Aave v3 ethereum yellow Across Protocol ethereum yellow Aerodrome Finance base green Axelar Network ethereum gray Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum yellow BENQI avalanche not_assessed BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum green Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum yellow Chainlink CCIP ethereum yellow Circle USYC binance not_applicable Compound V3 (Comet) ethereum gray Concrete ethereum gray Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum yellow deBridge ethereum green Dolomite ethereum red dYdX v4 (dYdX Chain) dydx gray EigenLayer ethereum gray Ethena ethereum green ether.fi ethereum green Euler V2 ethereum gray Falcon Finance ethereum green Fluid ethereum not_applicable Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum yellow Hyperliquid arbitrum not_applicable Jito solana not_applicable Jupiter solana green Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron green Kamino Lend solana not_applicable Kinetiq hyperliquid not_applicable Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum yellow Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum yellow Marinade Finance solana green Meteora solana gray mETH Protocol ethereum green Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum gray Ondo Finance ethereum yellow OpenEden ethereum yellow Orca solana gray PancakeSwap bsc yellow Pendle Finance ethereum yellow Polymarket polygon yellow QuickSwap polygon green Raydium solana green Rocket Pool ethereum yellow Sanctum solana not_applicable Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum yellow StakeWise v3 ethereum not_applicable Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid green SUNSwap (sun.io) tron yellow Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum green Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum yellow USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum gray Venus Protocol bsc gray Wormhole ethereum gray Yearn Finance ethereum yellow
1 red · 27 yellow · 23 green

Linked hacks 2 historical incidents #

relatedHacken ($HAI token) — Bridge private key leak from decommissioned server → unauthorized token minting → dump2025-06-20 · $170K · Bridge private key leak from decommissioned server → unauthorized token minting → dump · Stale user approvals on deprecated router [via cross-hack: Factor 33: Decommissioned Infrastructure Retaining Live Credentials]
relatedOKX DEX (OKX Decentralized Exchange Aggregator) — Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals2023-12-13 · $3M · Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals · Stale user approvals on deprecated router [via cross-hack: Factor 33: Decommissioned Infrastructure Retaining Live Credentials]
rubric_version v1.7.0 factor RD-F-168 category 9 carried 79 critical no