defirisk.co
rubric v1.7.0

Stale-approval exposure on deprecated router

Liquity V1 + V2 (LUSD / BOLD)'s assessment for RD-F-168 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v1 is the legacy-immutable surface. Users who approved v1 contracts (BorrowerOperations 0x24179C, TroveManager 0xA39739 etc.) when v1 was active retain those approvals. The Liquity team cannot publish an admin-triggered revoke or pause notice — no admin key exists. v1 contracts cannot be wound down or drained by the team. The hygiene gap is real but low-severity: stale approvals to v1 contracts are not exploitable by the team (no admin power) and the contracts themselves are correct-as-designed and immutable. Risk limited to users accidentally re-interacting with v1 vs. v2.

Sources #

  • Internal
    Liquity Protocol Profile §2.research/protocols/liquity/00-profile.md §2 — v1 in legacy-immutable state; no admin, no shutdown possibleretrieved 2026-05-16
  • Docs
    Liquity v1 Documentation — ResourcesLiquity v1 documentation resources — v1 contracts still live, team has no admin authority to revoke approvalsretrieved 2026-05-16

Methodology #

Count the number of active user approvals (ERC-20 `allowance`) to deprecated router or protocol contracts.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol liquity factor RD-F-168 score yellow collected_at 2026-05-16 10:35:50