All Articles
All Articles

ERC-20 Allowances: Avoid Risky Approvals & Revoke Malicious Smart Contract Permissions

Table of Contents

If you’re reading this, it’s probably because you’re researching DeFi yield farming and you know how fast the industry has been growing. While the path has been fraught with hacks and scams, it’s important to remember how early we still are. The road to DeFi dominance is a marathon, and we are only at the beginning. 

For this reason, we know how important it is to continue educating the community about the fundamentals that will help them prosper over the long term. So in this guide, we’ll be tackling the important topic of smart contract approvals and ERC-20 allowances.

To succeed and stay safe within DeFi, this is foundational knowledge that all participants must have. The reality is that most people do not understand these topics because they aren’t, at first glance at least, easy to grasp and they require an element of technical knowledge.

Essentially, it is harder and less exciting to understand token allowances than it is to chase the latest memecoin. However, if you can take the time to understand what’s going on “under the hood” of the latest crypto project, you’ll not only be in a much better position to avoid the heartache of getting rekt in the short-term but also give yourself the best chance to succeed in DeFi over the long term.

An overview of smart contracts 

Smart contracts are the bedrock of DeFi and the crypto world more generally because they regulate everything. They are made of code that contains data about transactions, changes, conditions, and other related information. This code runs a program that fulfills agreements between two or more parties so that, if certain conditions are met, certain actions occur.

In DeFi, for example, you might want to use your tokens to interact with certain dapps, make deposits, participate in liquidity mining, or do other transactions. These activities are made possible by smart contracts acting behind the scenes and documenting everything that goes on. 

Smart contracts power critical DeFi infrastructure like Uniswap’s liquidity pools

Furthermore, they are fully accessible to any participant on the network, so anyone can see all the transactions, changes, and conditions that a smart contract contains, and take actions based on what they see.

Of course, this transparency depends on being able to read the code. Solidity, the programming language these smart contracts are usually written in, is a language that many are unable or unwilling to learn to interpret.

It’s also worth remembering that, while there are many different types of smart contracts, this guide will be focusing on two that are significant within DeFi:

Staking token contracts: These contracts are used within staking to receive the reward token.

Farming/staking contracts: These contracts are used within staking to manage withdrawals.

Where can you find smart contracts? 

Some projects publish smart contracts directly on their GitHub repositories and you can find one by searching for “{project name} github” in Google. Once you have clicked on the relevant result, look for the addresses and smart contracts within the GitHub repository. 

Alternatively, you can use block explorers, such as Etherscan or BSCScan. Both of these tools allow you to review all contracts related to the tokens you search for.

To find a smart contract in this way, open the block explorer and use the search bar to type in your token. You will then see the Contract tab and the code of the contract, as shown in the example from BSCScan below.

bsc contract source code

The ERC-20 technical specifications 

Having at least a basic understanding of the ERC-20 technical specification is important because it relates to tokens.

The “ERC” part stands for Ethereum Request for Comments and this refers to the official protocol for making proposals to improve the Ethereum network. The “20” is the unique identification number of the specific improvement proposal. The ERC-20 improvement proposal matters because it is the one published in 2015 that deals with tokens issued on the Ethereum blockchain.

Tokens that meet the appropriate technical specifications are known as ERC-20 tokens and they are effectively smart contracts on the Ethereum blockchain. The ERC-20 standard defines a set of rules that must be followed for a token to be accepted and to interact with other contracts on the network. 

Mandatory and optional parameters

The ERC-20 standard provides six mandatory and three optional (but recommended) parameters for any smart contract. Mandatory parameters include:

totalSupply function: This function relates to the total number of tokens that have been minted (where ‘minted’ essentially means the same as ‘created’). The development team of any project can add a limit so the supply of tokens does not increase.

balanceOf function: This function relates to the current total number of tokens that exist within a specific contract address. 

transfer function: This is one of the functions used for distributing tokens and enabling transactions. When an address calls this function, it does so to send tokens from the address to another address.

transfer function smart contract code

A snippet of transfer function code as displayed by the De.Fi Scanner

transferFrom function: This is another function used for distributing tokens and enabling transactions. When calling this function, an address approves another address to deduct a certain amount of tokens. In yield farming, it is used to move tokens to the staking pool.

approve function: This function is used in conjunction with the two previously mentioned functions and relates to verifying the processes. Specifically, it is used to deduct an amount of tokens from the wallet of the user.

allowance function: This function is another used to move tokens. It checks how many tokens can be deducted from a certain wallet by a certain contract.

In addition to these mandatory parameters, there are several optional parameters. One of the optional parameters defines the number of fractional digits after the decimal point that a token might have. For comparison, Bitcoin has eight fractional digits, which appears as 1.00000000 BTC.

Other optional parameters include defining the name of the token and its symbol. By defining a consistent set of parameters, project teams make it easier for exchange and DeFi wallet providers to create a single codebase that interacts with the ERC-20 smart contract.

Understanding ERC-20 allowances

A common way for users to interact with dapps (and their smart contracts) is through a wallet like Metamask, so it’s worth looking at how ERC-20 allowances work in this situation.

As mentioned, the ERC-20 standard allows smart contracts to transfer tokens on behalf of users using the transferFrom function. Once this occurs, the smart contract will update its balance to reflect the movement of user tokens.

For this to occur though, the user needs to first allow the smart contract to transfer tokens on their behalf. In the image below, you can see what this approval process looks like in Metamask.

metamask transfer allowances screen

Within DeFi, a user may want to follow this process to deposit their ERC-20 tokens into a protocol’s smart contract and earn interest. 

To do this, you need to first allow the protocol’s contract to take some amount of your tokens from your wallet. Then you call a smart contract function within the protocol’s contract that allows you to specify how many tokens you want to deposit. You then use the transferFrom function to transfer the correct amount from your wallet.

Usually, this process is abstracted away from the user in order to simplify the user experience, as soon as you confirm that you want to allow the transfers to take place.

Why you should beware of unlimited allowances

As mentioned above, an important step in the process of interacting with a DeFi protocol’s smart contracts is allowing them to take some tokens from your wallet. 

If you’re one of those people who just clicks the confirm button and forgets about it, you’re not alone. However, this trusting approach can cause serious issues if you don’t understand what you are doing. 

That’s because, while you might think there is an automatic limit built into the number of tokens you are allowing to be transferred, this is not the case. You can choose to set an allowance for the exact amount but many users do not realize that many dapps request an unlimited allowance from the user.

While this might immediately scare you off any interactions with DeFi dapps, it doesn’t need to. If you are researching which DeFi protocols to use and are only choosing the ones that your research suggests can be trusted, this feature may well not be harmful. Furthermore, it’s worth recognizing that trustworthy protocols use this feature in good faith because unlimited allowances can make it easier and cheaper to make lots of small transactions. 

However, this only works if the protocol’s smart contracts are secure and the development team’s intentions are good. If scams, bugs, or malicious actors are involved, history tells us that unlimited allowances can be disastrous for DeFi users. 

Let’s run through a few examples to learn more about what can happen if you’re not careful with your DeFi interactions: 

Sablier allowances bug discovered

Initially, the issues surrounding unlimited allowances emerged as a result of research rather than a hack. 

Paul Razvan Berg, a tech lead for Sablier, gave a presentation at Devcon V in 2019 in which he described a bug in the project’s smart contracts. Essentially, it involved 10,000 $DAI that was in testers’ wallets and was at risk because the smart contract had permission to spend it through the unlimited allowance. 

Before the platform went into production, the bug was fixed and the issue was resolved. You can see the video of Paul Razvan Berg’s presentation here:

Bancor allowances bug countered

In 2020, a similar bug was spotted in the Bancor protocol. However, this time user funds were at risk.

The issue occurred because the function that executes the ERC20 transferFrom function, which had been private to the contract, was accidentally made public. This allowed anyone to execute it and drain funds from the community wallets. 

Bancor counterattacked the hack to avoid damage and, fortunately, all funds were returned by the Bancor security team.

UniCat’s allowances bug “meow” costs $140,000

For an example that did not end happily, we need to look back to the DeFi summer of 2020. 

Users were investing in UniCat, a Sushi-fork project that had its own token and offered a liquidity program with high APY and tons of reward tokens. The protocol was not innovative, as it used the same frontend as Sushiswap. At first glance, it seemed to have the same goals and ideas too. 

UniCat’s choice of $UNI tokens for use in its protocol was not accidental though. By this time, Uniswap had garnered a lot of praise from the DeFi community and was already well respected. Furthermore, Uniswap community members who had used Uniswap to make transactions were rewarded $UNI tokens. Therefore, there were quite a lot of DeFi users who had received $UNI for free and were likely to be less concerned about risking these rewards in new projects. UniCat’s team would have been well aware of this.

In terms of the UniCat process that any user would go through, they start by depositing $UNI tokens with the UniCat contract. As mentioned previously, this type of deposit requires approval. In the case of UniCat, this was an approval for unlimited allowances, which many users will not have noticed. If everything went as the user expected, they would farm the reward tokens for as long as they desired and then remove their tokens once they were ready to finish. 

Unfortunately for anyone involved in UniCat, they were rug-pulled when the owners of the protocol drained all $UNI tokens from the staking and LP contracts. 

The UniCat scam report via De.Fi’s REKT Database

Within the official UniCat Telegram group, the project team tried to justify these actions by suggesting it was caused by a security bug that allowed some attackers to selectively extract LP tokens. Furthermore, they said that this would result in users not being able to unstake funds because of the LP shortage.

Digging into the details of the scam a bit further, the UniCat smart contract had a setGovernance function that received addresses and data. All the project team needed to do was to set governance to the $UNI token address and to call the transferFrom function, with the senders being the users’ addresses and the receiver being the UniCat smart contract.

The key point to recognize is the UniCat contract, which was the caller of the transferFrom function, was allowed to spend an infinite amount of tokens. In this way, the UniCat saga demonstrates how accounts with infinite approval remain vulnerable as long as the approval has not been revoked or the account has not been completely abandoned.

In the end, the thieves within the developer team made off with 337.86 ETH. They used the Tornado Cash mixer to cover their tracks but you can still see the transactions they made through it here: https://etherscan.io/address/0x2b0d23b011ad8bf0774b20c04dc6832d8d02651c

Wallet permissions best practices

Increasingly, dapps do not switch on an unlimited allowance as a default setting because of the security issues that have occurred and the wariness with which the DeFi community views them. However, it is not the case that this is true across the board and users must be aware that this risky setting can still occur.

As a DeFi user

When you are using a dapp, you should ask yourself two key questions:

  1. Am I using this dapp multiple times?
  2. Have I done enough research to be able to trust this project?

If the answer to both these questions is a definite yes, there might be a case for enabling unlimited allowance. However, if the answer is no or you have some doubts, we highly recommend editing your permissions to establish a fixed limit, to protect yourself from unforeseen circumstances.

In the example below, you can see how to go about editing permissions to limit allowances. To do this, you should insert an integer (such as 1 USDT ($1) = 1000000 USDT) that corresponds with what is required by the smart contract.

custom metamask spend limit permission screen

To be clear, you should avoid unlimited allowances wherever possible. 

When interacting with a new dapp for the first time, you should do your own research and not approve more tokens than you feel comfortable risking.

As a dapp developer

Responsible dapp developers can and should play a role in preventing the issues that occur with unlimited allowances by taking their lead projects like Curve and 1nch.

Both projects allow users to choose whether to approve what they need to spend at the time or to approve a larger amount that allows them to make multiple transactions in the future.

Another way that developers can approach this problem is to use a new approval structure each time. However, it should be noted that this option may result in high transaction fees and an inconvenient user experience.

Using De.Fi to manage wallet permissions 

If you want to find the easiest way to avoid risky smart contract approvals and unlimited allowances, you need to use the De.Fi antivirus security suite: Scanner and Shield.

De.Fi Shield

Rather than having to manually review smart contract approvals, our Shield revoke wallet permissions tool gives you a complete overview of a wallet’s permissions with just a few clicks:

defi shield revoke tool

TRY SHIELD NOW

To use this tool, simply connect your wallet to the De.Fi DeFi dashboard and navigate to “Shield” from the main menu. There you’ll receive your full report with the permissions that are granted, their associated risk levels, and an option to revoke permissions individually or en masse. 

Shield is a crucial tool to protect you from situations where you have approved a dapp with unlimited approvals and are at risk of an unlimited amount of tokens being transferred from your address.

De.Fi Scanner

Scanner is adept at identifying risks associated with specific smart contract addresses before you interact with them. It acts as a free smart contract auditor providing users with a custom detailed report covering token governance, risk categorizations, specific exploit possibilities, honeypot risk, and an aggregate “DeFi score” to help you compare across contracts.

unibot scanner results page

TRY SCANNER NOW

If you are considering granting allowances to a smart contract but you’re not sure if the dapp’s reputation is strong enough, you can use Scanner to double-check that your instincts are not leading you astray.

More De.Fi tools to keep you safe

As DeFi security experts, we provide tools that empower everyone from complete newbies to experienced yield farmers, including the comprehensive audit database. In the Audit database, you can find all smart contract audits of DeFi projects that our team has access to. We also provide a history of DeFi hacks and scams via our REKT Database.

Finally, we highly recommend following our De.Fi Security Twitter account. This will ensure that you’re up-to-date on breaking news related to crypto exploits. Stay safe and protect your funds for the next bull run!

More from De.Fi Security

Is Rabby Wallet Safe? - DeFi Wallet Review

On that front, DeFi wallets are in high demand and Rabby Wallet is an option that's quickly gaining mindshare. But the fact of the matter is, Rabby is only one in a sea of wallet providers. Users must carefully weigh their options to know whether or not it's the right choice.

Is Rainbow Wallet Safe? - Crypto Wallet Review

In the rapidly expanding universe of web3 and decentralized finance (DeFi), selecting a reliable and secure wallet is crucial. Rainbow Wallet has emerged as a popular choice, especially for those new to the crypto world. 

© De.Fi. All rights reserved.