Deprecated contracts still holding value

A operational history factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor flags whether any protocol-announced deprecated contracts (contracts for which the team has publicly stated sunsetting or migration) still hold more than $100,000 in user funds or protocol assets. It is sourced from on-chain balance checks against a curator-maintained list of deprecated contract addresses, updated on a slow cadence (semi-annual or event-driven). A positive flag means the operational wind-down was not completed -- users were not migrated, funds were not drained, and the deprecated surface remains a live attack target.

**Why it matters** Deprecated contracts represent a reduced-vigilance attack surface. The team has signalled they are moving away from the contract; monitoring attention is reduced; the codebase is no longer receiving security patches. OKX DEX lost $2.7M when attackers compromised a deprecated proxy admin key that had not been revoked. Force Bridge was drained on June 1, 2025 -- the day after announcing its May 31 sunset -- through a combination of reduced team attention and failed access control attempts in the six hours prior. The 1inch Fusion v1 settlement contract was deprecated but not destroyed, and resolvers continued calling it months after the successor was live. In each case, the deprecation announcement created a perception that the surface was gone while the financial exposure remained.

**Green / Yellow / Red** Green: all deprecated contracts hold zero or negligible (below $1,000) in assets; migrations fully complete. Yellow: deprecated contracts hold between $1,000 and $100,000 in assets, with migration actively in progress and a public timeline published. Red: deprecated contracts hold more than $100,000 in assets with no active migration in progress, or the team has confirmed deprecation without a published drain-and-migrate plan.

**Common gray cases** Contracts that are technically inactive (no user-callable functions remaining) but hold dust amounts due to rounding errors or stuck transactions are distinguished from contracts still accessible to users or holding meaningful protocol-owned liquidity.

**Notable historical examples** - **OKX DEX** ($2.7M, 2023): Deprecated proxy admin key compromised; user approvals on deprecated TokenApprove contract drained. - **1inch Fusion v1** ($5M, 2025): Deprecated settlement contract not destroyed; resolvers still calling it post-deprecation. - **Force Bridge** ($3.76M, 2025): Drained the day after the team announced its sunset, through reduced-vigilance access control failures. - **Hacken HAI** ($170K, 2025): Bridge minter key on a decommissioned DigitalOcean server used to mint 900M tokens.

Measurement what to look for #

Determine whether contracts marked deprecated by a protocol announcement still hold >$100K in assets.

Data & output #

Data source

Protocol deprecation announcements + on-chain asset balances at deprecated contract addresses via RPC

Output format

Green / Yellow / Red

Evidence artifact

Deprecated contract address list + asset balance USD per contract + protocol announcement URL

Confidence signal

green = deprecated contracts hold $0 or have been self-destructed; yellow = deprecated contracts hold $1–$100K (residual users); red = deprecated contracts hold >$100K (significant unmitigated exposure); gray = deprecated contracts not identified

Scored protocols 80 carry this factor #

Protocol RD-F-166

Aave v3 ethereum red Across Protocol ethereum gray Aerodrome Finance base green Axelar Network ethereum green Babylon Protocol bitcoin gray Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum yellow BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum green Cap (cUSD / stcUSD) ethereum not_applicable Centrifuge ethereum red Chainlink CCIP ethereum yellow Circle USYC binance green Compound V3 (Comet) ethereum yellow Concrete ethereum green Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum not_applicable Curve Finance ethereum yellow deBridge ethereum not_applicable Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx yellow EigenLayer ethereum green Ethena ethereum yellow ether.fi ethereum yellow Euler V2 ethereum green Falcon Finance ethereum green Fluid ethereum yellow Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum green Jito solana green Jupiter solana green Jupiter Perpetual Exchange solana green JustLend DAO tron not_applicable Kamino Lend solana green Kinetiq hyperliquid green Lido ethereum yellow Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc gray Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum yellow Marinade Finance solana green Meteora solana yellow mETH Protocol ethereum green Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum green Ondo Finance ethereum gray OpenEden ethereum green Orca solana green PancakeSwap bsc yellow Pendle Finance ethereum yellow Polymarket polygon green QuickSwap polygon yellow Raydium solana green Rocket Pool ethereum green Sanctum solana green Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum yellow StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid green SUNSwap (sun.io) tron red Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum red Symbiotic ethereum not_applicable Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron green Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc gray Wormhole ethereum gray Yearn Finance ethereum red

Linked hacks 4 historical incidents #

causalHacken ($HAI token) — Bridge private key leak from decommissioned server → unauthorized token minting → dump2025-06-20 · $170K · Bridge private key leak from decommissioned server → unauthorized token minting → dump · Officially-deprecated surface still holds material value [via cross-hack: Factor 33: Decommissioned Infrastructure Retaining Live Credentials]

causalForce Bridge (Nervos Network) — Access control compromise — admin key leak → privileged unlock() drain across two chains2025-06-01 · $4M · Access control compromise — admin key leak → privileged unlock() drain across two chains · Officially-deprecated surface still holds material value [via cross-hack: Factor 46: Sunset / Wind-Down Period as Reduced Vigilance Window]

causal1inch (Fusion v1 resolver contracts) — Integer underflow in deprecated assembly — calldata pointer corruption → resolver address forgery2025-03-05 · $5M · Integer underflow in deprecated assembly — calldata pointer corruption → resolver address forgery · Officially-deprecated surface still holds material value [via cross-hack: Factor 36: Deprecated Contract With Live Admin Key] || Officially-deprecated surface still holds material value [via cross-hack: Factor 46: Sunset / Wind-Down Period as Reduced Vigilance Window]

causalOKX DEX (OKX Decentralized Exchange Aggregator) — Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals2023-12-13 · $3M · Compromised proxy admin key → malicious implementation upgrade → claimTokens() drain of user approvals · Officially-deprecated surface still holds material value [via cross-hack: Factor 33: Decommissioned Infrastructure Retaining Live Credentials] || Officially-deprecated surface still holds material value [via cross-hack: Factor 36: Deprecated Contract With Live Admin Key]

rubric_version v1.7.0 factor RD-F-166 category 5 carried 80 critical no