Stale-approval exposure on deprecated router

Dolomite's assessment for RD-F-168 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

March 2024 exploit confirmed large stale-approval exposure on the deprecated 2019 Loopring Trade Delegate contract (0xe2466deb9536a69bf8131ecd0c267ee41dd1cda0). 187 users affected, $1.8M drained. Stale approvals from pre-2020 users persisted 4+ years. Despite the exploit and partial recovery, approvals on the old contract were not systematically revoked by protocol — users who did not independently revoke remain exposed.

Sources #

URL
Revoke.cash — Dolomite Exploit Documentationrevoke.cash/exploits/dolomite — stale approval exploitation documentationretrieved 2026-05-16
URL
Dolomite Legacy Vulnerability Post-Mortem — stale approvalsmedium.com/dolomite-official/legacy-smart-contract-vulnerability-post-mortem — 187 victims, $1.8M from stale approvals on 0xe2466...retrieved 2026-05-16

Methodology #

Count the number of active user approvals (ERC-20 `allowance`) to deprecated router or protocol contracts.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol dolomite factor RD-F-168 score red collected_at 2026-05-16 11:12:56