Stale-approval exposure on deprecated router
Curve Finance's assessment for RD-F-168 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Legacy StableSwap v1 pools (curve-contract) and older router versions may hold stale user approvals from 2020-2022 era. The 2022 DNS hijack exploited the frontend to potentially harvest approvals. No systematic stale-approval revocation campaign identified in public documentation. Current curve-router-ng is actively maintained but legacy approvals to older routers persist.
Sources #
- GitHubcurve-router-ng GitHubgithub.com/curvefi/curve-router-ng — current router; legacy approvals to older versions persistretrieved 2026-04-28
- Curve DNS hijack post-mortem August 2022curve.substack.com/p/august-10-2022-curve-frontend-hacked — DNS hijack exploited frontend, approval risk contextretrieved 2026-04-28
Methodology #
Count the number of active user approvals (ERC-20 `allowance`) to deprecated router or protocol contracts.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol curve-v2 factor RD-F-168 score yellow collected_at 2026-04-28 19:48:40