Deprecated contract paused but pause reversible by live admin

A governance & admin factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor identifies whether a protocol has formally deprecated a contract but left the pause state on that contract reversible by a currently-live admin role. The deprecated contract is paused — appearing inactive — but the pause is not permanent: an admin can unpause it, restoring its functionality and any attack surface it carries. The factor is populated by on-chain checks of deprecated contracts listed in protocol documentation against their current pause state and who holds the unpause authority.

**Why it matters** Deprecated but unfinalized contracts present an invisible attack surface. Users and monitoring systems may treat a paused deprecated contract as inert, but if a live admin role can unpause it, an attacker who compromises that admin can restore the contract's full functionality. OKX DEX lost $2.7M via a deprecated TokenApprove contract whose admin key had not been revoked — users still had open approvals to the contract, and a single admin action allowed the attacker to drain them. This pattern is distinct from a protocol that has burned or renounced admin on deprecated contracts, which would score green; the risk is specifically the combination of "announced deprecated" and "admin pause is still reversible."

**Green / Yellow / Red** Green is assigned when deprecated contracts have had admin authority renounced or transferred to an immutable address, or when the pause is executed by a burned admin key with no live unpause capability. Yellow covers cases where a timelock of at least 48 hours gates any unpause action on deprecated contracts. Red is assigned when a deprecated contract's pause is reversible by a currently-live admin role with no timelock, effectively leaving the deprecated surface under live admin control.

**Common gray cases** This factor is grayed when no contracts have been deprecated or when the deprecation status cannot be confirmed from public protocol documentation.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Determine whether a deprecated-and-paused contract's pause state is revertible by a currently-live admin role.

Data & output #

Data source

On-chain `paused()` state read + `PAUSER_ROLE` or `pause`/`unpause` permission on deprecated contract via RPC

Output format

Green / Yellow / Red

Evidence artifact

Deprecated contract address + paused state + pause-role address + whether pause-role is still active

Confidence signal

green = deprecated contract paused and pause role has been renounced or burned; yellow = deprecated contract paused but pause-role still active (can be unpaused); red = deprecated contract not paused and still holds value; gray = deprecated contracts not identified

Scored protocols 80 carry this factor #

Protocol RD-F-167

Aave v3 ethereum yellow Across Protocol ethereum yellow Aerodrome Finance base green Axelar Network ethereum green Babylon Protocol bitcoin gray Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum yellow BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum gray Chainlink CCIP ethereum green Circle USYC binance not_applicable Compound V3 (Comet) ethereum yellow Concrete ethereum green Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum yellow deBridge ethereum yellow Dolomite ethereum green dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum gray Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum green Fluid ethereum not_applicable Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum green Hyperliquid arbitrum not_applicable Jito solana green Jupiter solana green Jupiter Perpetual Exchange solana green JustLend DAO tron green Kamino Lend solana green Kinetiq hyperliquid not_applicable Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum yellow Marinade Finance solana green Meteora solana gray mETH Protocol ethereum green Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum gray Multipli ethereum yellow Ondo Finance ethereum yellow OpenEden ethereum gray Orca solana yellow PancakeSwap bsc yellow Pendle Finance ethereum yellow Polymarket polygon yellow QuickSwap polygon green Raydium solana green Rocket Pool ethereum yellow Sanctum solana green Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum green StakeWise v3 ethereum not_applicable Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid green SUNSwap (sun.io) tron green Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum green Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum yellow Venus Protocol bsc gray Wormhole ethereum gray Yearn Finance ethereum yellow

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.

rubric_version v1.7.0 factor RD-F-167 category 2 carried 80 critical no