Learn about the token approval process when interacting with DApps, potential exploitation, and how to keep your ERC-20 tokens safe when using MetaMask.
Did you know that every time you interact with a DApp that involves your ERC-20 tokens, you are granting it permission to access and move your tokens on your behalf?
This permission is called token approval, and it is a crucial feature for web3. But if you’re not careful, it can also be very dangerous.
In this short guide, you will learn:
- How token approval works
- How token approval can get exploited
- And how you can protect yourself against token approval hacks
How Token Approval Works
The approve() function is like giving someone your credit card and telling them how much they can spend with it. It allows another decentralized application (called a spender) use some of your tokens on your behalf. This is useful for many crypto use cases like token swaps, lending and providing liquidity.
The approve() function needs two things: the address of the spender and the amount of tokens you want to let them use. For example, if Alice wants to let Bob use up to 100 tokens for her, she would call approve(Bob, 100).
The approve() function only gives permission, but does not actually move any tokens. To move the tokens, the spender has to call another function, transferFrom(), which needs three things: the address of the token owner, the address of who gets the tokens, and the amount of tokens to be moved.
The transferFrom() function checks that the spender has enough permission from the token owner, and that the token owner has enough tokens to move. If both things are true, it moves the tokens from the owner’s account to the receiver’s account, reduces the spender’s permission by the moved amount and makes a record of the transfer.
So what is infinite token approval?
Sometimes, the amount of tokens you approve is very large. This is like giving someone your credit card and telling them they can spend as much as they want with it. Some apps ask for this kind of approval because they don’t know how much tokens they will need to use for you in the future. You can also save gas fees by not having to approve every time. But this also means you can lose all of your tokens if this feature gets exploited.
How Token Approval Can Be Exploited
All ways of exploiting the approve () function have one thing in common: hackers trick you into giving them permission to use your tokens without you realizing it.
One way to do this is by sending you a phishing email or a fake website that looks like a legit project or app that you trust. You may be asked to approve an infinite amount of tokens. If you do that, the transferFrom() function can be used to exploit your wallet.
Another way is exploiting a vulnerability in a smart contract that you have already approved to use your tokens. For example, if the contract is upgradable, malicious code that transfers your tokens can be inserted. A contract could also have a bug or a backdoor that allows hackers to bypass the normal checks and balances.
How To Protect Yourself From MetaMask Infinite Token Approval Exploits
Here are some tips and tricks to protect yourself from MetaMask infinite approval exploits:
- Always check the address and the amount of tokens you are approving before you confirm the transaction. Make sure you trust the project or app that is asking for your approval, and that you are using the correct website or app. Don’t click on any suspicious links or emails that claim to be from a legit project or app.
- Don’t approve an infinite amount of tokens unless you really need to. Some apps may ask you to approve an unlimited amount of tokens for convenience or gas saving reasons, but this also gives them the power to take all of your tokens at any time. If possible, approve only the amount of tokens that you need for a specific transaction or activity, and revoke or reduce the approval when you are done.
- Use tools and platforms that can help you review, revoke, or customize your token approvals. For example, you can use Etherscan’s Token Approval tool to see all the contracts and tokens that you have approved, and revoke any unnecessary or suspicious ones. Etherscan also has a good token approval explainer to view and change your token allowances for different contracts. These tools can help you manage your token approvals and keep them under control.
- Stay updated on the latest security news and alerts. For example, MetaMask published an explainer thread on the token approval feature:
By following these simple tips, you can stay safe from MetaMask infinite token approval exploits and enjoy web3 interactions.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators.
This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice.
The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap.
