Token approvals are an essential part of web3. Before you can swap tokens, provide liquidity to liquidity pools, or stake with farms, users must first allow smart contracts to access their assets. Once approved, the smart contract will have permission to use the approved amount of tokens. This is usually not a problem, but bad actors could steal your funds if you are not careful. Read on to learn more.
What is a token approval?
If you use MetaMask, you will probably be familiar with token approvals which look like this:
![\"\"/](\"https://lh3.googleusercontent.com/ZiZBrqASDUVW7kWO2UzgUcYQUt7T77sARrjC5fFy-n0tMoCGMYA6Ll57gznu8qIXIblKYSzpPb6YRoylctO-F-vmiLwF1C4EiOOjILO_eZhP04yu4HJZ90jZmpxTo3k8KXjefHTy9d0RdI6dWVtFG5o\")
This screenshot shows an example of approving access to the USDC token on the Fantom network on the DEX aggregator Firebird Finance. The approved amount is a huge number – 1.15e+71. This is practically infinite, meaning the smart contract has unlimited access to spend the user’s USDC tokens.
After approving this transaction, Firebird Finance would have access to the USDC in order to execute trades for other assets such as ETH, FTM, or BTC. The user would only have to approve the permission once to swap for any of these assets as the app has been permitted to spend USDC.
DeFi cannot function without approvals as the platforms have no way to move funds between wallets. So if you want to hop into web3, token approvals are essential. In most cases, unlimited token allowances are convenient. This means there is no limit to the quantity of the token that can be accessed by the platform, saving you the hassle of granting permission each time you make a new transaction.
What is the risk of token approvals?
Unlimited approvals are handy because you only have to approve one time. The risk of using unlimited approvals is that the entirety of your holdings of that assets will be exposed in the case of a smart contract exploit, rug pull, hack or if you approve a malicious smart contract code. This means that your wallet can be drained at any time, whether you are using the platform or not.
Bad actors often make fake versions of popular projects to trick people into giving approvals to malicious smart contracts. As soon as the approval is completed, the bad actor can steal the tokens at any time. You must be vigilant and verify the authenticity of platforms before allowing token approvals.
Many users may feel confident using unlimited approvals with battle-tested DeFi platforms but beware of having a false sense of security as exploits can happen anywhere. It is in your best interest to play it safe by closely monitoring your token approvals.
Revoking Permissions
The good news is that there are plenty of ways to manage your existing approvals. For most blockchains\’, you can access their block explorer and use their inbuilt ‘approval checker.’ Connect your wallet to review all of the token approvals that are currently outstanding. You can revoke these permissions or set them at a new level.
Here is a list of approval checkers for a number of different networks:
| Approval Checker | Network |
| Etherscan | Ethereum |
| FTMscan | Fantom |
| BscScan | BNB Chain |
| Optimism Etherscan | Optimism |
| Unrekt | Cross-chain |
| Revoke.cash | Cross-chain |
Conclusion
Token approvals are a requirement for entering the DeFi space. Issuing unlimited approvals is usually not problematic, as long as you can verify the platform\’s integrity. To be safe, you should still monitor your approvals, and it is best practice to revoke access to any platforms you are not using.
Here are some quick tips for staying safe when using token approvals:
- Get in the habit of regularly checking your token approvals. If you are unsure about an approval, revoke it immediately. You can always re-approve at a later date.
- Be cautious about allowing unlimited access to tokens. Consider setting a smaller limit and then increasing at a later date.
- Do your due diligence on any site where you grant token allowances. Ensure that the site is trustworthy. If it was developed by a bad actor, they can drain your wallet as soon as you approve.
