Stale-approval exposure on deprecated router

Chainlink CCIP's assessment for RD-F-168 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CCIP v1.0.0 was deprecated in 2024 (March 31, 2024 deadline). Users who granted token approvals to the v1.0.0 Router retain stale approvals. Chainlink published migration docs but no evidence of systematic on-chain revoke-notice or approval cleanup. Risk bounded because v1.0.0 Router is immutable and cannot execute arbitrary transfers without a CCIP message, but stale approval surface exists.

Sources #

Docs
Onchain Architecture - Upgradability (EVM) | Chainlink DocumentationCCIP upgradability docs — Router is immutable; deprecated v1.0.0 Router cannot be weaponized to drain stale approvals without a valid CCIP messageretrieved 2026-05-16
Docs
Chainlink CCIP Release NotesChainlink release notes — v1.0.0 deprecation March 31, 2024; migration documentation publishedretrieved 2026-05-16

Methodology #

Count the number of active user approvals (ERC-20 `allowance`) to deprecated router or protocol contracts.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-168 score yellow collected_at 2026-05-16 01:55:09