Revoking Token Approvals: How to Secure Your Crypto Assets
By The Fire Team
If you’ve been in web3 and/or the Ethereum ecosystem for a while, you’ve probably given a ton of dApps and platforms token approvals: The permission to move a certain token around for you. Token approvals are a common practice when interacting with smart contracts, but leaving approvals unchecked can pose risks to your assets. This article explores what token approvals are, when you should revoke them and how account abstraction makes revoking token approvals easier and safer.
1. What are Token Approvals in Web3?
On Ethereum, token approvals are permissions given to a smart contract which enable it to move a certain amount of tokens on your behalf. These are also called token allowances. They apply to all token types:
ERC-20 fungible tokens like WETH
ERC-721 single edition NFTs like Bored Apes
ERC-1155 multiple edition NFTs like adidas Originals: Into the Metaverse
Here’s what that looks like when you use our Chrome extension to simulate transactions:
The same is true when it comes to trading NFTs: You give the smart contract permission to move the NFT to another wallet once it sells.
Token approvals might look scary to beginners, but they’re just a manual version of what you do outside of web3 as well: If you give your money to a bank, you’re giving them approval to lend your money out to others or to invest it and earn a return.
While banks bury these things in terms of service nobody reads, crypto makes this more transparent by giving those approvals manually.
But while you can’t revoke that access for a bank (except by closing your bank account), you can always revoke ERC-20 token approvals.
2. When Should I Revoke Token Approvals?
If you trust someone with the keys to your house and they abuse that trust, you’d take the keys back from them. The same is true in crypto with token approvals. There are various reasons you should consider revoking token approvals in situations:
You no longer interact with a dApp or protocol: If you've given approvals to a smart contract of a dApp or protocol you no longer use (or that has since shut down), it's prudent to revoke them to reduce any unnecessary risk.
The approved smart contract is not audited or trustworthy: If you’ve given allowances to a smart contract that turned out to be unsafe or untrustworthy, you should immediately revoke all token approval.
You've given unlimited approvals: Many dApps often ask for unlimited token approvals, which can be a significant risk, especially if the smart contract has a vulnerability. While unlimited approvals can be useful for some dApps, they also create a higher risk if the contract gets exploited.
Note: Many wallets make it hard to spot if you’re giving a token approval based on the wallet transaction pop-up. That’s why we created Fire - a free Chrome Extension that simulates all transactions and tells you exactly what’s leaving your wallet and what approvals you’re giving—before you sign the transaction. Install today and never sign something you don’t understand!
3. How to Revoke Token Approvals
Found a token approval you want to remove? Here’s how:
Revoke Token Approvals In Coinbase Wallet
In Coinbase Wallet, revoking token approvals involves interacting with the smart contract of the token:
Open Coinbase Wallet and select settings on the bottom right tab.
Click “token approvals”
Click on “revoke”
Confirm the transaction
And that’s it! Your tokens will never be accessed by that smart contract again!
Revoke Token Approvals With MetaMask
Some wallets enable you to revoke token approvals right from within the wallet (specifically, smart contract wallets based on ERC-4337). So far, MetaMask doesn’t have a built-in feature to revoke token allowances.That’s why you need an external dApps to revoke approvals. The two most popular are revoke.cash and Etherscan.
Both support any Ethereum wallet that you connect to dApps with.
Revoke Token Approvals On Revoke.cash
Revoke.cash is a simple popular tool to revoke token approvals. It supports almost all EVM wallets, including MetaMask, Rainbow and others:
Navigate to Revoke.cash.
Connect your wallet and choose MetaMask.
The tool will display all the smart contracts you've approved and the tokens they have access to.
Click “revoke” on the right.
Confirm the transaction in your wallet.
Revoke Token Approvals On Etherscan
Etherscan is a block explorer that gives you all the details on a transaction. While its blockchain data can be complicated, revoking a token allowance isn’t:
On the menu in the top bar, hover “more”.
Find “token approvals” under “services” and click it.
Click “connect to web3” next to the red dot.
Connect your wallet.
Filter your token approvals by ERC-20, ERC-721 or ERC-1155 tokens.
Click “revoke” and confirm the transaction.
Here’s what a Fire transaction simulation of revoking token approvals looks like:
While all of that’s easy enough when it’s one token on one smart contract, it gets laborious if you need to revoke many tokens. This is not just inconvenient: It can also be crucial to your safety:
Let’s say a smart contract which has multiple approvals gets exploited. The more time scammers have to move your assets, the more they can take. But if you could revoke all token approvals at once, you’re much more likely to stay safe, even when that worst case scenario actually happens. That might be reality soon:
If you’re exploring Ethereum, check out Fire!
We’re a trusted chrome extension that simulates transactions before you sign any potentially malicious smart contract.
4. How Account Abstraction Makes Revoking Simpler & Safer
One of the most revolutionary concepts in web3 is account abstraction. The innovation is based on ERC-4337 and gives wallets the powers of smart contracts. Among other things, this means wallets can do more things autonomously you previously had to do manually. One of those is revoking all token approvals.
Batch Revoking Token Approvals with Account Abstraction
Account abstraction wallets can execute multiple transactions in one click. That means they could:
Revoke all token approvals: If you want nobody to have access to any of your assets, you could push a single button and revoke all allowances. This might be a “nuclear option” but would ensure safety with a single button.
Revoke all approvals to a given smart contract: Right now, you can only revoke approvals one by one, even if a single smart contract has multiple approvals. Account abstraction would enable you to fully disconnect from a dApp by revoking ALL approvals it has.
To Summarize
While it’s an annoying topic, the importance of revoking token approvals should not be underestimated. By understanding what token approvals are, being aware of the instances in which they should be revoked, and knowing how to do so across different platforms, users can ensure the security of their assets.
Thankfully, advancements like account abstraction in web3 technologies are making this process simpler and safer.
As we continue to navigate and evolve in the crypto space, staying abreast of these developments is crucial. Keep a vigilant eye on your token approvals, exercise prudence, and leverage new technologies to safeguard your digital assets.
.png)
