Stale-approval exposure on deprecated router

Across Protocol's assessment for RD-F-168 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Deprecated SpokePool V2 contracts on Ethereum, Arbitrum, Polygon, and Optimism may hold stale ERC-20 approvals from users. Ethereum V2 (0x4D9079Bb...) still received transactions as of April 2026 and is not confirmed paused. No official Across docs, blog posts, or migration guides instruct users to revoke approvals on deprecated V2 contracts. Mitigant: SpokePool deposit model requires a signed deposit + relayer fill — not a simple transferFrom, limiting direct drain risk.

Sources #

Docs
https://docs.across.to/llms.txtretrieved 2026-04-30
Docs
https://docs.across.to/introduction/migration-guides/migration-from-v2-to-v3retrieved 2026-04-30
URL
https://arbiscan.io/address/0xB88690461dDbaB6f04Dfad7df66B7725942FEb9Cretrieved 2026-04-30
Etherscan
https://etherscan.io/address/0x4D9079Bb4165aeb4084c526a32695dCfd2F77381retrieved 2026-04-30

Methodology #

Count the number of active user approvals (ERC-20 `allowance`) to deprecated router or protocol contracts.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol across-protocol factor RD-F-168 score yellow collected_at 2026-04-30 21:19:18