Token approvals are the latest security concern for cryptocurrency and NFT wallets. Many crypto users have lost their expensive NFT and crypto assets due to vulnerabilities in different smart contracts. Rogue hackers often exploit these smart contracts that aim to steal away the NFTs or crypto tokens from users' cryptocurrency wallets. The primary issue underlying this ridiculous hack is the permission and processing of token withdrawal without the wallet owner's awareness.
Crypto wallet owners need to be aware of the potential risks of nonconsensual token approval when dealing with newly launched crypto or DeFi platforms, especially when the platforms are not even vetted or reviewed via audits. Users commonly do not need to worry about such unwarranted token approvals when interacting with popular DeFi platforms such as a DEX or decentralized marketplace with audited smart contracts. An excellent example of such audited DeFi platforms is UniSwap and PancakeSwap.
The token approval is an issue because it allows malicious hackers to exploit the wallet feature by enabling unlimited token transaction permissions. Such fraudulent developers can access users’ crypto tokens or NFTs by using smart contract vulnerabilities that they manage to install in the platform’s smart contracts. After a platform has allowed unlimited permissions to utilize the users' tokens, the malicious hackers attempt to withdraw the customers' tokens to their wallets, leaving the user with significant losses. Losses can sometimes happen, even after users remove their tokens from the DeFi platform.
Newly launched DeFi platforms have specific vulnerabilities and risks that endanger cryptocurrency or NFT users. The primary vulnerability is that the token approval grants complete access and control of cryptocurrency or NFT tokens to different crypto addresses. The risk is that a user can unconventionally transfer such control to a hacker’s crypto wallet address, leading to NFTs or crypto asset loss.
This article will explain nonconsensual token approvals and their role in crypto asset hacks or losses. We will also look at how you can safely revoke such token approvals to ensure and enhance your crypto wallet safety.
What are Token Approvals?
Token Approvals are access or permission granted to any decentralized platform such as a crypto token exchange (DEX) or any other decentralized application (dApp) for accessing tokens in a user’s crypto wallet or account. Token approvals grant dApp permission to use your tokens for a DeFi activity or cryptocurrency transaction. Token approvals apply to ERC-20 tokens such as ETH, WETH, and USDC, as well as Non-Fungible Tokens (NFTs) like the ERC-721 and ERC-1155 tokens.
All decentralized applications (dApps) require token approvals from a user’s crypto or NFT wallet when interacting with any tokens in a non-custodial crypto wallet such as the Metamask. Likewise, many NFT and crypto transactions, such as trading or offering your NFT for purchase on NFT marketplaces, may also require token approvals. For example, listing your NFT on the OpenSea marketplace requires token approval from your NFT wallet before the NFT token can be accessed or listed.
Revoking such NFT token approvals implies that the NFTs cannot be purchased, traded, or transferred via the NFT marketplace. For example, if you were to revoke NFT token approval for OpenSea, you would no longer be able to avail of their services until the permission is approved. Please be aware that canceling and granting token approvals on the Ethereum blockchain incur a gas fee.
Why Should you Remove Token Approvals or Permissions?
Many NFT and other crypto token marketplaces are facing a security crisis. NFT and crypto tokens are being stolen from users' wallets using the latest token approval hack. The security situation that OpenSea has been dealing with over the last couple of weeks indicates that 2022 has not been very kind to the NFT space.
Many users have been victims of asset losses and NFT hacks due to bad actors exploiting token approvals features on the NFT and crypto wallets. The token approval option allows hackers on DeFi platforms to steal crypto tokens from non-custodial user NFT wallet accounts such as Metamask. The popular NFT marketplace unintentionally exposed users to additional smart contract vulnerabilities while attempting to fix a problem in the platform that was deemed critical.
To secure your NFT wallets from hacks and asset losses, you must revoke token approvals for third-party dApps or unaudited DeFi platforms. To stop risky dApps from initiating tasks and carrying out transactions with your tokens on your behalf and without your consent.
Token Approval Example
Smart contract/token approvals, also known as permissions, require users authorizing dApps access to the transfer of tokens in your wallet. Even though it seems intrinsically dangerous, there is always a requirement to provide at least some approval to dApps. For instance, when using a DEX (decentralized exchange), you must sign an approval permitting its smart contract to accept tokens to execute your trade requests. Without token approvals, users cannot perform any activity on Web3 platforms.
However, to keep your NFT wallet secure, it is vital to revoke token approvals after you have completed a transaction on any DeFi platform.
Considering the current token safety threats, it is essential to periodically check the smart contracts or decentralized applications you've approved to perform sensitive transactions on your behalf. You must revoke approvals to any rights provided to dApps you no longer use or those undergoing smart contract updates. Additionally, it is typically a good idea to perform the same activity on dApps that you do not use frequently. Anytime you wish to resume using the DeFi platform, you may re-sign to them. Ultimately, this will reduce the risks your account is exposed to at any moment.
We have produced a step-by-step manual on revoking token or smart contract approvals on MetaMask so that you can secure your MetaMask account from similar hacks.
How to Safely Remove Token Approvals on Etherscan:
Several methods allow you to revoke token approvals on dApps entirely. Many third-party tools are also available to control this, which is covered later in the article. We recommend using the Token Approval tool from Etherscan to manage and revoke your token approvals. Please note that the cancellation of token approval on Etherscan includes a specific gas fee.
Here are the step-by-step instructions for using Etherscan to revoke token approvals or permissions:
1) Open Etherscan Token Approval Checker:
The first step to revoke token approvals on Etherscan is to open the Etherscan Token Approvals Checker tool.
Etherscan Token Approvals Checker Tool
You can do that by visiting: https://etherscan.io/tokenapprovalchecker.
2) Connect your Crypto Wallet to Etherscan:
The next step is to connect your crypto wallet account to the Etherscan Token Approvals Checker tool by clicking the “Connect to Web3” button at the center bottom of the Etherscan Token Approvals homepage.
Source: OpenSea Support
You can only connect one wallet at a time. After clicking the button, a pop-up will show up, allowing you to select your crypto wallet account(s) if you have multiple accounts. Once that is done, it will show you a consent message to enter the beta version of the tool, which is the only version available now. Click “OK” to continue.
3) Choose the Token Approval you want to Revoke:
Etherscan Token Approvals Checker tool allows you to navigate ERC-20, ERC-721, or ERC-1155 tabs to select your desired token approval. After you have chosen the token approval you want to revoke, click on it.
4) Revoke the Token Approval by Clicking Revoke Button:
When you have completed the previous step and selected your desired token approval for revocation, it will show you a pop-up box titled "Revoke Approval."
The revoke approval pop-up shows the blockchain address for the token and the sender, as seen below.
Source: OpenSea Support
Once you click the revoke button, Etherscan will take you to your crypto wallet to see your transaction record. You need to click confirm in your crypto wallet so that you can revoke the token approval.
Once revoked, the transaction can be seen on Etherscan to confirm that the token approval or permission is in revoked status and removed.
That’s it. Congratulations on safely removing the token approval using Etherscan. Your wallet is now at a lesser risk of asset theft and hacks.
How to Manage NFT Token Approvals:
Besides revoking token approvals, the Etherscan Token Approvals Checker allows you to manage your ERC-20 token approvals. When confirming transactions on dApps, we advise MetaMask users to avoid unlimited spend limits.
Source: OpenSea Support
By default, the majority of dApps request an unlimited spending limit. Thus by establishing a restricted spending limit, you reduce the risk of a bad actor draining your ERC-20 money. To avoid the unlimited spend limits, go to Edit Permissions and enter the amount you want to spend under Custom Spend Limit.
The Takeaway – Other 3rd Party Tools to Revoke Token Approvals and Permissions Safely
Safeguarding the security of your wallet's assets is critical to revoking Smart contract token approvals or permissions. You can safely remove any token approval in a couple of minutes by utilizing simple and user-friendly solutions such as the Etherscan Token Approvals tool.
There are other 3rd party tools available for removing token approvals as well. We have listed some of these tools below:
- Debank accepts ETH, BSC, xDai, Fantom, Polygon, and OKEx
- Unrekt - online and mobile support for ETH, BSC, HECO, and Polygon.
- Beefy - supports BSC
- Polygonscan - Polygon support
Revoke.Cash is another 3rd party tool for revoking Ethereum token approvals. Revoke.Cash is an open-source browser extension that employs technology to provide cybersecurity detective functionality. It is a detective control since it does not block the user from accepting; instead, it just detects something and provides information. To learn more, check out this video we found by @Wii_Mee - Watch Video on Revoke.Cash