defirisk.co
rubric v1.7.0

Stale-approval exposure on deprecated router

Yearn Finance's assessment for RD-F-168 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

V1 vaults (yDAI, yUSDT, yTUSD, others) are deprecated and immutable. Users who granted ERC-20 approvals to V1 vault contracts retain active allowances. V1 contracts were exploited in 2023 via misconfiguration (not approval abuse), but stale approvals remain a low-level residual risk. Approval count to deprecated contracts not enumerated from on-chain data in this assessment. Yellow: stale approvals likely exist given 2023 exploits showed user funds still in these contracts years post-deprecation.

Sources #

  • URL
    Yearn2 Rekt — rekt.newsrekt.news yearn2-rekt (2023-04) — legacy yUSDT V1 vault exploited; users with funds in deprecated vaultretrieved 2026-05-16
  • URL
    Yearn Rekt4 — rekt.newsrekt.news yearn-rekt4 (2023-12) — legacy TUSD V1 vault exploited; confirms ongoing residual user exposureretrieved 2026-05-16

Methodology #

Count the number of active user approvals (ERC-20 `allowance`) to deprecated router or protocol contracts.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol yearn-finance factor RD-F-168 score yellow collected_at 2026-05-16 08:34:32