Users love the world of DeFi because it unlocks the potential of permissionless finance. Traditional centralized financial institutions operate in a world of walled gardens. All funds are siloed within individual banks and financial institutions, and interactions between these institutions can be time-consuming and frustrating. If you’ve ever had to wait an entire weekend to get your money from one bank to another, you know what we’re talking about.
DeFi is different because instead of every service provider operating their own independent financial ledger, all transactions are conducted on the shared ledger of blockchain networks. No matter whether you’re yield farming on Uniswap, sending stablecoins to a friend with MetaMask, or lending crypto assets on Aave, all transactions are taking place seamlessly on the same blockchains.
This is fantastic for creating seamless interactions between various dapps, smart contracts, and wallets, allowing users to explore limitless combinations of new and creative ways to utilize their financial assets.
However, with great power comes great responsibility. To enable this revolutionary interoperability DeFi uses widely accepted standards that are as simple as they are powerful. Users can create a DeFi wallet and start trading significant capital across different dapps with only a few clicks. But this ease of use also means that should they make a mistake, their funds can be permanently lost.
DeFi applications (dapps) utilize smart contracts to manage their interactions with user wallets. Smart contracts, in turn, must be granted access to utilizing the funds in a user’s specific wallet before they can perform their duties. Granting this access is done via token approvals.
In today’s blog, we’ll be discussing this simple technical concept and why an understanding of how to manage token approvals is essential to keeping your crypto assets safe.
Token approvals govern the specific crypto assets that certain smart contracts are allowed to utilize within your crypto wallet. They are granted by using your management control over the said wallet to approve a specific request generated by the smart contract you wish to interact with.
In the screenshot below, you can see the process of granting a token approval for the Uniswap dapp to interact with the USDT stablecoin stored within a MetaMask wallet. This token approval uses a specific custom spending cap as well:
While token approvals are mainly used for managing ERC-20 permissions, keep in mind that ERC-721 and ERC-1155 NFT token standard approvals are also common.
How does this work from a technical perspective? Let’s say you are about to deposit USDC into a vault. A typical deposit function should involve transferring the staking token from your balance to a strategy bound to the vault so that yield can be generated on the deposited amount. This is done by calling the transferFrom() function – a standard function each token based on the ERC-20 standard has.
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token /ERC20/ERC20.sol
But only contracts approved by you can call a token transfer from your balance. Thus, before depositing, swapping, lending, placing buy/sell orders, or calling any other functionality that should send your tokens to a particular target, you have to call the approve() function on the contract of the token.
See the approve() call within the Solidity code below:
https://etherscan.io/address/0xa2327a938febf5fec13bacfb16ae10ecbc4cbdcf#code
In the image above, the owner parameter would be your address. “Spender” is the dapp contract that should call transferFrom() later on when deposit() is called.
To manually check if you’ve approved a contract to spend your tokens, you can open the Read section of the ERC-20 token contract and input your address and the dapp contract address into the view function “allowance”. It will show you the approved token amount:
https://etherscan.io/token/0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48#readProxyContract
Now you can see that contracts with your approvals for specific tokens have control over your balance of those tokens.
The risks of token approvals are due to the trust assumptions that you make regarding the smart contracts you are interacting with. These two assumptions are:
While token approvals are a completely normal action to take within DeFi, they can be extremely dangerous in the wrong hands. This is why token approvals are the main attack vector for crypto phishing scams. If you’ve approved a malicious contract to be an unlimited spender of a token, your entire balance will likely be wiped out nearly instantly after the approval is confirmed.
There are also scenarios where, even though you have granted permissions to a legitimate smart contract, your wallet funds may be at risk of potential token approval abuse. If a contract that you’ve interacted with before has a vulnerability and is hacked, the hackers may find a way to transfer all tokens from users who have previously granted token approvals to the breached contract.
This is especially dangerous because many dapps prefer to request these unlimited token approvals from users so that they don’t have to call approve() repeatedly. While this is gas efficient, doing so leaves users exposed to a high level of risk.
It’s a best practice to only keep token approvals in place as long as necessary for the transactions you need to conduct. Once the transactions are completed, consider revoking the token approvals you have in place.
As part of our De.Fi DeFi portfolio tracker SuperApp, we make it easy to efficiently monitor and revoke the permissions your wallet may have. Our De.Fi Shield revoke permissions tool is the perfect accessory for safety-conscious crypto traders.
Sample De.Fi Shield wallet analysis
To get started, simply navigate to https://de.fi/shield and connect your web3 wallet to the De.Fi app. Once connected, Shield automatically runs an analysis of 100+ security detectors for each contract, token, and NFT approval. It will then identify all high-risk tokens and smart contracts and provide a detailed description of potential risks. The whole process happens in only a few seconds.
Once high-risk contracts are identified, you have the opportunity to revoke them one by one or to revoke them all at once:
Choosing to revoke will trigger a pop-up that confirms the action and provides approximate gas fee data for the task
Hitting “Revoke” once again will then trigger an approval process within your web3 wallet. In this example, we’re using MetaMask:
Once these transactions are approved, you’re all set! De.Fi Shield will update with your new and improved wallet health score free of risky token approvals:
Ready to get started auditing and securing your onchain assets? Click the link below!
While it is critical to monitor and maintain your wallet’s token approvals, we also recommend being vigilant and ensuring you don’t interact with risky contracts in the first place. With this in mind, we offer De.Fi Scanner, the most comprehensive free smart contract scanner in web3.
DeFi users leverage Scanner to run automated audits on projects, tokens, NFTs, or even liquidity pool contract addresses. Simply enter the contract address you would like to analyze and Scanner will produce a security report in a matter of minutes highlighting any potential risk issues you should be aware of.
Users can also freely access a treasure trove of security analysis via our Audit Database. It’s web3’s largest database of DeFi project audits with over 9000 security reports from blockchain experts. If you’re considering interacting with a DeFi protocol, chances are you can find a security report within our database.
For the latest security news, don’t forget to follow our De.Fi Security X profile. We’ll keep you notified of any security incidents as they happen, giving you the time you need to respond appropriately. Educate yourself and stay safe with De.Fi!
October 25 • 7 minutes
In this blog, we'll walk through what Gnosis token approvals are and how you can audit + revoke them using the free De.Fi Shield tool.
April 19 • 7 minutes
During Q1 2024 ... total losses amounting to $414,875,820 across a range of exploits and security incidents.
April 1 • 10 minutes
Among the many options available, Phantom Wallet has emerged as a popular choice for those in the Solana ecosystem, sparking questions about its safety, legitimacy, and features.
March 22 • 17 minutes
A total of $148,690,165 was lost across various platforms and chains due to diverse exploits.
March 2 • 11 minutes
Celo token approvals can go by many names including token permissions, smart contract permissions, token allowances, etc.
February 23 • 7 minutes
The top three largest governance hacks resulted in $414M in losses over the years
February 12 • 5 minutes
© De.Fi. All rights reserved.
