OIP-260: Reclamation of Dormant Funds from Deprecated Contracts and Migration to a Unified Claim Contract

Voting ended 29 days agoSucceeded

id	Title	Status	Author	Description	Discussions to	Created
OIP-260	Reclamation of Dormant Funds from Deprecated Contracts and Migration to a Unified Claim Contract	Draft	padzank	Migrate residual LP, Vault, and THALES staking balances from deprecated Thales and Overtime V1 contracts on Optimism, Arbitrum, and Base into per-chain claim contracts, in order to reduce long-tail exploit surface while preserving every depositor's right to withdraw their share in full.	https://discord.com/invite/overtime-io	2026-05-14

Simple Summary

Sweep residual LP, Vault, and THALES staking balances out of deprecated Thales LPs, Overtime V1 LPs, Thales Vaults, Overtime V1 Vaults, and Thales staking contracts across Optimism, Arbitrum, and Base into per-chain claim contracts. Stablecoin and LP-token balances total approximately $53,743. THALES staking balances total approximately 1,582,403 THALES. Every dormant depositor retains a right to claim their full pro-rata share. The protocol retires five classes of unmaintained contracts and removes their long-tail exploit surface.

Abstract

The deprecated Thales LPs, Overtime V1 LPs, Thales Vaults, and Overtime V1 Vaults collectively hold approximately $53,743 in LP capital across multiple deployments per LP/Vault series and three chains. Separately, the Thales staking contracts on Optimism, Arbitrum, and Base hold approximately 1,582,403 THALES tokens in dormant staked balances (Optimism ~1,219,443; Arbitrum ~358,457; Base ~4,503). All rounds are halted; allocations are static; utilization is zero. The funds belong to depositors who have, for periods of multiple years, not withdrawn, likely a mix of forgotten wallets, dust balances not worth gas, or lost keys.

These contracts are no longer part of the active codebase, are no longer covered by ongoing audits or bug bounties at the same priority as live infrastructure, and present a passive long-tail risk surface. As automated vulnerability discovery improves, including LLM-assisted static analysis and fuzzing pipelines targeting historical DeFi deployments, the expected cost of leaving dormant balances in unmaintained code rises monotonically.

This proposal would authorize the pDAO multisig to:

Snapshot LP, Vault, and staking balances at a defined block per chain.
Where existing contract methods permit, invoke owner/admin withdrawal paths to move funds to a pDAO-controlled address.
Where existing contracts do not expose a suitable method, propose and execute a minimal upgrade strictly limited to adding a balance-sweep function with a hard-coded destination.
For THALES staking balances, sweep THALES from the staking contracts across Optimism, Arbitrum and Base deployments.
Deploy three per-chain claim contracts (Optimism, Arbitrum, Base) holding the swept funds and a function of whitelisted depositor addresses to withdraw their balances.
Publish the snapshot data and per-address claim portal indefinitely.

Claims would remain open in perpetuity with no expiry. No depositor loses any economic claim. The protocol reduces its passive attack surface from five contract families across three chains to one audited claim contract per chain.

Motivation

The deprecated contracts in question have not received feature changes in a long time. Each represents a deployment frozen at a codebase that is no longer the focus of security attention.

Three concrete risk vectors:

Dependency rot. Many of these contracts integrate with external implementations that have themselves been upgraded or deprecated. A change in a dependency's behavior can create unanticipated state transitions in code no one is actively monitoring.
Newly disclosed primitive vulnerabilities. Reentrancy variants, signature-malleability patterns, and proxy-storage-collision bugs continue to be discovered in classes of contracts deployed years before disclosure. Live contracts get patched; deprecated ones do not.
Automated discovery scaling. Adversarial tooling, including ML-assisted symbolic execution and LLM-driven vulnerability hunting against verified bytecode, lowers the marginal cost of finding bugs in obscure or low-TVL contracts. The historical assumption that "$5k–$30k pools are not worth attacking" weakens when discovery is near-free and exploits can be batched.

Staking contracts deserve separate motivation. THALES staked balances in deprecated staking contracts represent a particularly attractive target: large nominal token balances (over 1.5M THALES aggregated across chains), known token contract with an active 1:1 migration path to $OVER, and staking logic that historically has been a frequent source of exploit vectors. Leaving 1.5M+ THALES sitting in unmaintained staking contracts is a standing invitation, and an exploit that drains those balances directly converts into $OVER liability for the protocol via the migration contract.

The asymmetry is the key argument. Cost of a sweep-and-migrate operation: one routine engineering push. Cost of an exploit on a deprecated contract: total loss of remaining balance plus reputational damage to Overtime regardless of the contract's deprecated status, because users and the public will not distinguish "active Overtime V2" from "deprecated Thales V1".

Specification

This OIP entails the Overtime Protocol DAO to sweep residual LP, Vault, and staking balances of the following contract families:

Thales LPs: Optimism (Thales LP, Thales LP sUSD), Arbitrum (Thales LP), Base (Thales LP).
Overtime V1 LPs: Optimism (Sports LP, Parlay LP), Arbitrum (Sports LP, Parlay LP), Base (Sports LP, Parlay LP).
Thales Vaults: Optimism (Discount, Degen Discount, Safu Discount), Arbitrum (Discount, Degen Discount, Safu Discount).
Overtime V1 Vaults: Optimism (Discount, Degen Discount, Safu Discount, Upsettoor).
Thales Staking Contracts: Optimism (holder address 0xC392133eEa695603B51a5d5de73655d571c2CE51, ~1,219,443 THALES), Arbitrum (holder address 0x160Ca569999601bca06109D42d561D85D6Bb4b57, ~358,457 THALES), Base (holder address 0x84aB38e42D8Da33b480762cCa543eEcA6135E040, ~4,503 THALES).

Any other deprecated contract holding dormant positions and discovered during snapshot preparation will be added to this list via a minor amendment before execution, subject to pDAO discretion.

Rationale

N/A

Implementation

N/A

Conclusion

N/A

Copyright

Off-Chain Vote

For

3 TC-NFT100%

Against

0 TC-NFT0%

Quorum:300%

Download mobile app to vote

Discussion

OIP-260: Reclamation of Dormant Funds from Deprecated Contracts and Migration to a Unified Claim Contract

Timeline

May 22, 2026Proposal created

May 22, 2026Proposal vote started

May 25, 2026Proposal vote ended

May 25, 2026Proposal updated

Title

Status

Author

Description

Discussions to

Created

OIP-260

Reclamation of Dormant Funds from Deprecated Contracts and Migration to a Unified Claim Contract

Draft

padzank

Migrate residual LP, Vault, and THALES staking balances from deprecated Thales and Overtime V1 contracts on Optimism, Arbitrum, and Base into per-chain claim contracts, in order to reduce long-tail exploit surface while preserving every depositor's right to withdraw their share in full.

https://discord.com/invite/overtime-io

2026-05-14

Simple Summary

Abstract

This proposal would authorize the pDAO multisig to:

Snapshot LP, Vault, and staking balances at a defined block per chain.

Where existing contract methods permit, invoke owner/admin withdrawal paths to move funds to a pDAO-controlled address.

Where existing contracts do not expose a suitable method, propose and execute a minimal upgrade strictly limited to adding a balance-sweep function with a hard-coded destination.

For THALES staking balances, sweep THALES from the staking contracts across Optimism, Arbitrum and Base deployments.

Deploy three per-chain claim contracts (Optimism, Arbitrum, Base) holding the swept funds and a function of whitelisted depositor addresses to withdraw their balances.

Publish the snapshot data and per-address claim portal indefinitely.

Motivation

The deprecated contracts in question have not received feature changes in a long time. Each represents a deployment frozen at a codebase that is no longer the focus of security attention.

Three concrete risk vectors:

Dependency rot. Many of these contracts integrate with external implementations that have themselves been upgraded or deprecated. A change in a dependency's behavior can create unanticipated state transitions in code no one is actively monitoring.

Newly disclosed primitive vulnerabilities. Reentrancy variants, signature-malleability patterns, and proxy-storage-collision bugs continue to be discovered in classes of contracts deployed years before disclosure. Live contracts get patched; deprecated ones do not.

Automated discovery scaling. Adversarial tooling, including ML-assisted symbolic execution and LLM-driven vulnerability hunting against verified bytecode, lowers the marginal cost of finding bugs in obscure or low-TVL contracts. The historical assumption that "$5k–$30k pools are not worth attacking" weakens when discovery is near-free and exploits can be batched.

Specification

This OIP entails the Overtime Protocol DAO to sweep residual LP, Vault, and staking balances of the following contract families:

Thales LPs: Optimism (Thales LP, Thales LP sUSD), Arbitrum (Thales LP), Base (Thales LP).

Overtime V1 LPs: Optimism (Sports LP, Parlay LP), Arbitrum (Sports LP, Parlay LP), Base (Sports LP, Parlay LP).

Thales Vaults: Optimism (Discount, Degen Discount, Safu Discount), Arbitrum (Discount, Degen Discount, Safu Discount).

Overtime V1 Vaults: Optimism (Discount, Degen Discount, Safu Discount, Upsettoor).

Thales Staking Contracts: Optimism (holder address 0xC392133eEa695603B51a5d5de73655d571c2CE51, ~1,219,443 THALES), Arbitrum (holder address 0x160Ca569999601bca06109D42d561D85D6Bb4b57, ~358,457 THALES), Base (holder address 0x84aB38e42D8Da33b480762cCa543eEcA6135E040, ~4,503 THALES).

Any other deprecated contract holding dormant positions and discovered during snapshot preparation will be added to this list via a minor amendment before execution, subject to pDAO discretion.