Token Approvals: How They Work and How to Stay Safe
By The Fire Team
If you’ve ever listed an NFT for sale, swapped on Uniswap, provided liquidity on Aave or done anything else in web3, you’ve seen the pop-up: “Allow this website to transfer this NFT?” Many sign approvals in web3 without checking. They trust the website, so they’ll sign whatever it suggests. But if they sign the wrong thing on the wrong website, they realize they’ve given scammers access to their funds—and frantically try to revoke their token approvals.
Token approvals power many web3 technologies like DeFi, NFT trading, yield farming and more.
At their core, they allow smart contracts and dApps to access and transfer funds from your Ethereum wallet. It’s like giving someone a key to your car and telling them they can use it whenever it’s there and they need it. This makes it easy to lend someone your car: You skip the constant negotiating and just give them access. But if you hand the wrong person the key, you don’t have a car anymore.
Token approvals are the same: While they make web3 convenient, many scams also rely on getting hasty approvals. To protect your assets, it's important to understand token approvals and follow safety measures to keep what you own.
Why We Need Token Approvals
Token approvals ensure control over your assets while enabling seamless app operations. If you give Uniswap permission to move your USDC stablecoins for a swap to ETH, you allow the smart contract to move the USDC to itself, after which the smart contract sends you ETH.
Uniswap needs this ERC-20 token approval to function. If Uniswap didn’t get these approvals, you’d have to manually send tokens to their address for each swap, which would make the process less efficient. The same is true with NFT marketplaces like OpenSea: When someone buys your NFT, the smart contract needs to be able to move the NFT to the buyer’s wallet.
If you’re exploring Ethereum, check out Fire!
We’re a trusted chrome extension that simulates transactions before you sign any potentially malicious smart contract.
Approvals (also called token allowances) make web3 function. But giving others permission to move your assets also empowers phishing attacks and scams. That’s why most web3 scams try to get token approvals—to send it all to themselves.
Here’s what that usually looks like:
First off, you might see an attractive opportunity on Twitter or Discord. It might be a new ERC-20 token, an airdrop, or a surprise NFT mint. These offers can be exciting, but they’re usually bait in a trap of scammers.
After connecting your wallet, you'll be asked to approve your wallet to interact with a specific smart contract. Now, this isn't necessarily a red flag. As we said, many legitimate DeFi applications require such approvals. But here's where it gets tricky.
The scammers will ask for "unlimited" approval. This means that their smart contract can move as many tokens as it wants from your wallet. So while Uniswap only needs access to your USDC, a scam will usually request access to every token in your wallet.
This unlimited token approval is like giving someone unrestricted access to your bank account. Legitimate apps, on the other hand, will ask for just enough tokens for the specific transaction, or they'll set a reasonable limit.
Once you've given unlimited approval, the scammers can drain your wallet of the approved tokens at any time, up to your full balance. And just like that, your crypto is gone. If you use Fire, this is how our extension warns you of infinite token approvals:
So, what can you do to protect yourself? Here are a few tips:
Stay Informed: Knowledge is your best defense. Understand how scams work and keep up with the latest techniques scammers are using.
Be Skeptical: If an offer sounds too good to be true, it probably is. Be cautious and do your due diligence.
Limit Approvals: When approving transactions, set a limit that's reasonable for what you're trying to do. Don't give unlimited access unless you have a good reason to do so and you trust the other party implicitly.
Those are useful, but they’re rarely enough to stay completely safe. Especially when you’re excited or FOMOing, it’s easy to skip these steps to get the transaction done quickly. That’s why we’ve built a transaction simulator that helps you know exactly what you’re signing.
Keeping Your Digital Assets Secure
It’s unfortunate, but true: In the crypto world, scams are on every corner. That’s why securing your NFTs and ERC-20 tokens is crucial. While it can help to use a hardware wallet and install Fire, it’s important to know that you can revoke token approvals.
If you realize you signed approval on the wrong website, there might still be time. If the bad actor aims to manually take your assets, you can always revoke token approvals. This is like taking the key to the car away after realizing you gave it to the wrong person.
After revoking, the smart contract has no more access to your assets. If none have left your wallet (yet), you can make sure they never will.
How to Revoke Token Approvals
To revoke approvals, identify which dApps have permission and their purpose. We’ve built an easy way to do this in Fire. If you’ve installed our extension already, you can click “approvals” at the bottom and see all of your approvals, grouped by ERC-721 approvals and ERC-20 approvals.
When you click on any token, you’ll see exactly which website has access to your tokens. Once you click “view on revoke.cash”, you’ll be taken to revoke.cash, where you can revoke the contract’s token allowance.
This might feel a bit cumbersome, but it’s the state of the current technology. A new Ethereum update is promising to fix this, though: With something called account abstraction (under the technical name ERC-4337), you’ll be able to batch them and simply stop anyone from accessing any of your assets (or create custom ways to revoke them). This is set to make web3 both safer and easier to use.
Token approvals are an essential part of web3 technologies, enabling seamless operations in applications like DeFi and NFT trading. However, they also present opportunities for scams and phishing attacks. Scammers often trick users into granting "unlimited" approval, giving them unrestricted access to all tokens in the wallet. To protect yourself, it's important to stay informed, be skeptical of offers that seem too good to be true, and set reasonable limits on approvals.
A transaction simulator like ours helps you prevent granting approval to bad actors. If you realize you've granted approval to the wrong website or application, you can revoke token approvals. Our Chrome extension also provides an easy overview that’s just a click away from revoking access and saving your assets!