Blockchain smart contracts are essentially designed to automatically execute various transactions, such as asset swaps, validations, yield farming, and staking operations. However, smart contracts require your permission (in the form of token approvals) to accomplish such transactions.
Though necessary, these token approvals are not always safe. This is particularly the case for the approvals you give directly to protocol contracts. This vulnerability may be exploited by malicious DApps to steal tokens from your wallet.
Here’s everything you need to know about what token approvals entail, how they may be exploited to steal your tokens, and tips on how to spot a potential token approval scam.
Are Token Approvals Safe?
The token approvals you allow to your smart wallet are safe as you are the only one who can access the wallet. However, the approvals you give to protocol contracts directly are only safe if their underlying protocol is safe. If not, such approvals may expose you to various smart contract exploits.
What is a Token Approval?
A token approval is a permission you give a decentralised application (DApp) to interact with a specific token from your non-custodial wallet. The DApp will only interact with tokens that you have granted permission in your non-custodial wallet. Instead, you will see a message requiring you to approve the smart contract to interact with the token.
The token approval prompt may look a bit different on other wallets, but here are some details to look out for:
- DApp Name and URL – these are displayed at the top. Ensure that the app you want to approve is actually the one requesting approval.
- Smart Contract Address – if you are not certain whether the DApp is safe, copy this address and look it up on a block explorer like Etherscan. This will show you whether the DApp has been flagged as a potential scam or strange activity that may be related to the DApp.
- Edit Permission – here, you can edit the token amount you would like the DApp to access. You could also set a custom spend limit if you so wish.
- Gas Fees – this is the amount you will be paying to validators to send your transaction to the blockchain.
How can token approvals be harmful?
Exploits, scams, and fatal code errors are just some of the risks associated with using decentralised finance (DeFi) platforms. Hackers may also exploit smart contracts, especially their predesignated approvals to drain tokens from your smart wallet.
As a matter of fact, token approvals are a rather common attack vector for blockchain scams. DApps are required to specify how many tokens they seek to access, but this information is not always displayed. As such, approval requests range from specific, limited tokens to completely uncapped values.
Although the request for unlimited access itself is not a red flag as reputable platforms, major decentralised exchanges (DEXs) are known to do this. They do ask for unlimited access to spare you the trouble of having to re-approve every now and then. However, some DApps request unlimited access just to steal your tokens later on, as explained below.
What Risks do unlimited token approvals pose?
Unlimited token approval is when a DApp requests access to too many tokens than is necessary for the current transaction. A good example is when a DApp, say Uniswap, requests access to 1.1559 tokens.
While many legitimate DApps are known to ask for access to unlimited tokens, malicious platforms may exploit them to steal your tokens. Once you’ve granted a malicious DApp unlimited access to your tokens, they just come back and drain your wallet without your knowledge.
To avoid such an unfortunate eventuality, due diligence is advised whenever you are dealing with a new DApp.
How Can You Stay Safe While Granting Token Approvals?
Before confirming the token approval request for any smart contract, you should check a few things to assess the potential risk—regardless of the token quantity in question. You should do your own research (DYOR) to establish whether a token approval request is safe or not before granting it permission.
To this end, here are a few tips to point you in the right direction:
- How well-known is the project? – it is safer to only approve token approval requests by reputable DApps. If you are new to the project, check to see what you are consenting to before approving the request.
- How Old is the Project – do not grant unlimited access to relatively new DApps.
- Does the DApps have an Active Community? – Reputable dApps tend to have an active community channel on Telegram, Discord, or Twitter. If the dApp requesting approval doesn’t have such a channel, you may want to research it further before permitting it to access your tokens.
- Are the developers publicly reachable? – check to see whether its developers or owners are reachable on the channels they have provided, often Twitter or Discord.
- Has the DApp had a security breach before? – research a bit to find out whether the DApp has experienced any security breach recently. If so, it is best to steer clear of the DApp or edit the permission accordingly.
- Has it Been Audited by a Third Party? – Smart contracts that have undergone a third-party smart contract audit are thought to be safer.
- Use a Block Explorer to Check the Contract Address – if you don’t know much about the smart contract requesting for a token approval, it is advisable to check it on a block explorer. You can copy the contract address on the token approval prompt and search it up on a block explorer like Etherscan. This will show you whether the contract or DApp has been flagged for fraudulent activity before.
Here’s an example of a smart contract that has been flagged as malicious.
Token approvals are an important aspect when it comes to Web3 interactions. Granting a smart contract a token approval gives it the permission to view and spend your wallet balance. Whether or not this is safe mainly depends safety of the contract’s underlying protocol.
Malicious DApps and fraudulent smart contracts can exploit this to drain tokens from your smart wallet. As a result, due diligence is advised whenever you are confirming token approval requests.
If you are looking to revoke any token approvals in your crypto wallet, why not try out our Token Approval tool?
You can revoke access to any smart contract across 10 EVM-compatible networks.
🔍 Navigate the DeFi Space NOW with Krystal!
Start your journey NOW on Desktop, iOS or Android
📱 Social Media
- Follow us on Telegram:
Announcements | Krystal Global | Krystal Vietnam 🇻🇳| Krystal Turkey 🇹🇷 | Krystal Africa 🌍 | Krystal Indonesia 🇮🇩 | Krystal India 🇮🇳 | Krystal Bangladesh 🇧🇩