Stale-approval exposure on deprecated router

Balancer (v2 + v3)'s assessment for RD-F-168 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Deprecated TimelockAuthorizer and original Authorizer are authorization contracts, not token-handling routers — users do not approve ERC-20 tokens directly to these contracts. Stale-approval exposure in the router sense does not apply to deprecated Authorizer contracts. v2 Vault itself is not deprecated. Quantitative approval count to deprecated contracts not available for assessment. Assessed yellow due to uncertainty about any residual approvals.

Sources #

GitHub
Balancer Deployments Registry — DEPRECATED entriesTimelockAuthorizer DEPRECATED in mainnet.jsonretrieved 2026-05-05

Methodology #

Count the number of active user approvals (ERC-20 `allowance`) to deprecated router or protocol contracts.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-168 score yellow collected_at 2026-05-05 12:41:36