What is an ERC-20 token approval?
An ERC-20 token approval is a method of allowing a smart contract or another address to withdraw funds from the address sending the transaction. In most cases, this has to be done before a token trade or depositing funds into a smart contract like adding liquidity. Most protocols have users approve an infinite amount of tokens so they would never need to approve the asset again, but this can be dangerous.
A token approval is an on-chain permission that cryptocurrency holders grant to smart contracts before an action, like a swap, enabling these smart contracts to access and transfer tokens directly from a user's wallet. This mechanism is fundamental in decentralized finance (DeFi), token swapping on decentralized exchanges (DEXes), yield farming, staking, lending platforms, and NFT marketplaces. Token approvals significantly streamline user interactions by eliminating the need for users to manually authorize each transaction, thus saving on transaction costs (gas fees) and enhancing the overall user experience.
How can an ERC-20 token approval compromise my wallet?
Token approvals also introduce substantial security risks. When granting approval, including unlimited approvals, users are effectively allowing the approved smart contract or address access to the approved tokens. This can be dangerous because, once granted, malicious or compromised smart contracts can withdraw tokens from the user's wallet without requiring further consent or notification. Scammers have historically exploited token approvals through phishing schemes, faulty smart contracts, or malicious dApps designed to drain funds from user wallets.
Several high-profile exploits highlight the potential severity of this risk. Legitimate platforms like Zapper and Li.Fi have suffered breaches where attackers drained assets using previously granted unlimited token approvals. Additionally, scammers often deceive users into granting approvals to malicious addresses, allowing them to steal legitimate tokens later. Thus, users must exercise caution, thoroughly verify smart contract addresses before granting approvals, and avoid providing unlimited token approvals unless absolutely necessary. You can read more about potential phishing schemes that exploit token approvals in the article Trading signals scam.
To mitigate risks associated with token approvals:
Always perform due diligence on dApps and smart contracts before approving tokens. Verify their authenticity via block explorers like Etherscan.
Consider using limited token approvals rather than unlimited ones to minimize potential damage from exploits.
Periodically review and revoke unnecessary token approvals, especially for dApps you no longer actively use. Tools like Revoke.cash and blockscan.com can assist in managing and revoking these approvals.
Segregate assets by maintaining separate wallets for long-term holdings and daily interactions with dApps, limiting potential losses in case of exploitation.
How can I revoke these token approvals if my wallet has been compromised?
Here's a compiled listed of tools to revoke token approvals in case your wallet is ever compromised by one.
Ethereum
BNB Chain
Polygon
Arbitrum
Optimism
Avalanche
Fantom
Gnosis Chain
Kaia
zkSync Era
Base
Aurora
Linea