Dead apps, live money
The recent Aztec Connect exploit points to a problem crypto still has not handled well.
Aztec Connect had been deprecated for years. The team communicated the shutdown, stopped new deposits, gave users time to withdraw, and eventually no longer had admin control over the old contracts.
@aztecnetwork is a serious team, which is why the example matters. This was not an obvious scam or a team vanishing overnight, but funds still remained in the old contracts, and around $2M was later drained.
The same issue exists across the industry. People still have money sitting in deprecated bridges, v1 DeFi pools, inactive vaults, legacy L2s, old appchains, abandoned contracts, and protocols where the original founders or technical leads have moved on.
To users, many of these positions still look fine. The balance shows up in the wallet, the UI may still load, and the contract may still be callable. But the risk can be very different from when they first deposited.
A pool may now have weak liquidity, a vault may no longer be closely monitored, a bridge may no longer be maintained, oracle assumptions may be outdated, or a chain may have announced a migration window that users missed.
Right now, too much of this burden sits on users. We expect them to track X, Discord, docs, governance forums, GitHub, audit updates, bridge changes, liquidity conditions, and migration deadlines across every protocol they have ever touched.
At the same time, teams cannot support every old deployment forever. Products get deprecated, priorities change, founders leave, liquidity moves, and chains shut down.
So the answer is not permanent team responsibility. It is better communication where users actually manage their money.
Wallets, explorers, and portfolio apps should warn users when they still hold assets in systems that are deprecated, illiquid, abandoned, no longer maintained, or close to a shutdown or migration deadline.
This should not be one company assigning subjective safety scores. A better model is a shared status layer/API based on self-reported project updates, security researchers/auditors, community notes etc
Projects should be able to clearly mark deployments as deprecated, withdrawal-recommended, migration-available, or no longer maintained. Independent sources should also be able to add evidence when liquidity disappears, a bridge is being sunset, an exploit is known, or no maintainer has refreshed the status in a long time. Then wallets can show the warning only when it matters when a user actually has exposure.
I'm sure there are better solutions than my idea, but I'm sure we can do better as well.