How to Manage Token Approvals: Protect Your Wallet from Unlimited Risk
Every time you swap on a DEX, you grant a smart contract permission to move your tokens. Most users never revoke these permissions. Here is why that is dangerous and exactly how to fix it.
Key Takeaways
- Token approvals grant smart contracts permanent permission to move your tokens -- even months after your last interaction
- Unlimited approvals have enabled over $250 million in losses across exploits like BadgerDAO and Multichain
- Use tools like Revoke.cash, Etherscan Token Approval Checker, or ChainBridge built-in approval manager to audit and revoke
- Permit2 replaces permanent approvals with time-limited, amount-specific signatures -- a fundamentally safer model
- Audit your active approvals at least once per month and revoke anything you no longer actively use
Table of Contents
- What Are Token Approvals?
- Why Unlimited Approvals Are Risky
- Real Exploits Caused by Approvals
- How to Check Your Approvals on ChainBridge
- How to Revoke Token Approvals
- Permit2 vs Legacy Approvals
- Security Checklist
What Are Token Approvals?
The ERC-20 token standard requires a two-step process for smart contracts to move your tokens. First, you must call the approve() function on the token contract, granting a specific spender address permission to transfer up to a certain amount of your tokens. Then, the spender contract can call transferFrom() to actually move the tokens.
This mechanism exists because smart contracts cannot pull tokens from your wallet without explicit permission. It is a security feature by design. The problem is not the approval mechanism itself -- it is how approvals are typically implemented in practice.
When you swap tokens on a decentralized exchange, the DEX router contract needs approval to access your sell token. Most DEX frontends request "unlimited approval" by default -- meaning the contract can move any amount of that token from your wallet, at any time in the future, without any additional confirmation from you.
The approval persists indefinitely. Even if you have not interacted with a protocol in months, any approval you granted is still active. If that contract is later compromised, the attacker inherits all your existing approvals and can drain your tokens without you signing anything new.
Why Unlimited Approvals Are Risky
An unlimited approval is the equivalent of giving someone a signed blank check. They can fill in any amount at any time. In the context of DeFi, this means:
- Contract exploits:If a protocol's smart contract has a vulnerability, an attacker can use your existing approval to drain your entire token balance -- not just the amount you originally swapped.
- Frontend attacks: Compromised frontends can inject malicious approval requests that look identical to legitimate ones. If you routinely approve without reading, you may approve a completely different contract.
- Rug pulls: Some protocols include admin functions that can redirect approved tokens. The contract may look safe initially but contain hidden extraction logic that is activated later.
- Key compromise:If a protocol's admin keys or multisig is compromised, an attacker can upgrade the contract to steal funds via existing approvals.
The core issue is that unlimited approvals create an unbounded attack surface that persists indefinitely. Even well-audited protocols can be compromised. The safest approach is to minimize the number and scope of active approvals at all times.
Real Exploits Caused by Approvals
These are not theoretical risks. Hundreds of millions of dollars have been lost because of unlimited token approvals:
BadgerDAO (December 2021)
Loss: $120 millionAttackers injected malicious approval requests into the frontend. Users who had granted unlimited approvals had their funds drained directly from their wallets.
Multichain (July 2023)
Loss: $126 millionPrivate keys were compromised. Funds were moved from contracts that held unlimited approvals from users, allowing the attacker to drain tokens without any new user interaction.
Dexible (February 2023)
Loss: $2 millionA vulnerability in the selfSwap function allowed attackers to use existing token approvals to transfer user tokens to their own address.
In every case, users who had revoked their approvals before the exploit were unaffected. The victims were those who had left unlimited approvals active on contracts they were no longer using.
How to Check Your Approvals on ChainBridge
ChainBridge includes a built-in approval manager that scans your wallet for all active token approvals. You can also use external tools like Revoke.cash or the Etherscan Token Approval Checker for a second opinion.
Here is the step-by-step process using ChainBridge:
Connect Your Wallet
Navigate to the ChainBridge approvals page and connect your wallet. The app will immediately scan your connected address for all active token approvals across supported chains.
Review Active Approvals
You will see a list of every contract that has permission to spend your tokens. Each entry shows the token, the spender contract address, the approved amount (limited or unlimited), and the date of approval.
Identify Risky Approvals
Look for unlimited approvals to contracts you no longer use. Approvals older than 90 days to inactive protocols are flagged automatically. Any approval to an unverified contract is highlighted in orange.
Revoke Unnecessary Approvals
Click "Revoke" next to any approval you want to remove. This sends a transaction that sets the allowance to zero. You will need to pay a small gas fee for each revocation.
Switch to Permit2 Where Possible
For future swaps, ChainBridge uses Permit2 by default. This means approvals are signature-based and time-limited, so you never leave unlimited approvals hanging around.
For additional verification, you can cross-reference your results with Revoke.cash (supports all major EVM chains with a clean interface), the Etherscan Token Approval Checker (available at etherscan.io/tokenapprovalchecker), or similar tools on Arbiscan and Basescan for L2 chains.
How to Revoke Token Approvals
Revoking an approval means setting the allowance for a specific spender back to zero. This is a standard on-chain transaction that costs gas. On Ethereum mainnet, a revocation typically costs between $2 and $8. On L2 chains like Arbitrum or Base, it costs a fraction of a cent.
On ChainBridge, click the "Revoke" button next to any approval in your approval manager. Your wallet will prompt you to confirm a transaction that calls approve(spender, 0) on the token contract. Once confirmed, that contract can no longer move your tokens.
Prioritize revoking approvals in this order:
- Unlimited approvals to protocols you no longer use -- these are the highest risk because you have no ongoing relationship but they have permanent access.
- Approvals to unverified or unknown contracts -- if you do not recognize the spender, revoke immediately.
- Unlimited approvals to protocols you still use -- consider switching to exact-amount approvals or Permit2-based interactions.
- Limited approvals with amounts exceeding your current balance -- reduce these to match your actual usage.
Permit2 vs Legacy Approvals
Permit2, developed by Uniswap Labs, is a universal approval infrastructure that replaces the traditional approve/transferFrom pattern. Instead of granting permanent on-chain approvals to every protocol individually, you approve Permit2 once per token, and then all subsequent "approvals" are done via off-chain signatures with built-in expiration.
ChainBridge uses Permit2 for all 0x-powered swaps. Here is how the two models compare:
| Feature | Legacy Approval | Permit2 |
|---|---|---|
| Approval method | On-chain approve() transaction | Off-chain EIP-712 signature |
| Gas cost per approval | ~46,000 gas | Zero (signature only) |
| Expiration | Never expires (unless explicitly revoked) | Time-limited (configurable) |
| Amount control | Usually unlimited by default | Exact amount per transaction |
| Revocation cost | Requires on-chain transaction (~26,000 gas) | Automatic expiry, no revocation needed |
| Attack surface | Permanent until revoked, exploitable if contract is compromised | Temporary and scoped, minimal window |
| User experience | Two transactions per swap (approve + swap) | One-time approve, then signatures only |
| Protocol support | Universal (all ERC-20 tokens) | Growing (0x, Uniswap, and others) |
The fundamental advantage of Permit2 is that approvals are ephemeral rather than permanent. Even if a protocol using Permit2 is compromised, the attacker can only exploit approvals that have not yet expired -- and those approvals are limited to the exact amount the user specified. This dramatically reduces the attack surface compared to traditional unlimited approvals.
Security Checklist
Follow these eight practices to minimize your exposure from token approvals:
1. Audit your approvals at least once per month
Token approvals do not expire by default. An approval you granted six months ago to a protocol you no longer use is still active and potentially exploitable.
2. Never grant unlimited approval to unknown contracts
If a dApp asks for unlimited approval and you have never heard of it, that is a major red flag. Legitimate protocols will work with exact-amount approvals.
3. Use Permit2-based protocols when available
Permit2 approvals are time-limited and amount-specific by design. They expire automatically, unlike traditional ERC-20 approvals.
4. Revoke approvals immediately after a protocol gets hacked
When a protocol is exploited, attackers often drain funds through existing approvals. Revoke first, ask questions later.
5. Check approval amounts match your actual trade size
Some dApps request 10x or 100x your actual trade amount. There is no reason for this. Request exact-amount approvals instead.
6. Use a dedicated hot wallet for DeFi interactions
Keep the majority of your holdings in a hardware wallet or a separate address. Only transfer what you plan to trade to your active DeFi wallet.
7. Verify the spender contract on a block explorer
Before approving, check if the contract is verified on Etherscan and matches the official protocol deployment. Do not approve unverified contracts.
8. Bookmark legitimate dApp URLs and never approve from links in messages
Phishing sites look identical to real protocols but use malicious contracts. Always navigate to dApps from your own bookmarks.
Related Articles
Check Your Approvals Now
Audit your active token approvals, revoke unused permissions, and switch to Permit2 for safer trading.