What Is a Token Approval and Why It Can Drain Your Wallet

A token approval gives a smart contract permission to move your ERC-20 tokens. You sign one every time you use a DEX, lending protocol, or NFT marketplace. If the approval is unlimited and the contract is malicious or gets exploited, it can drain everything you own in a single transaction.

What happens technically

ERC-20 tokens (USDC, WETH, UNI, and thousands of others) have an approve(spender, amount) function. When you call it:

• spender is a contract address (the DEX router, the lending pool, etc.)
• amount is how many tokens that contract is allowed to move from your wallet

Most wallets and dApps request amount = 2^256 - 1 - effectively unlimited. The reason is convenience: approve once, use forever without re-approving. The problem: the approval stays active until you revoke it. If the spender contract is later exploited, it drains everything in one transaction.

Why unlimited approvals became the default

Before EIP-2612 (permit signatures), every ERC-20 interaction required a separate on-chain approval. To avoid users paying two gas fees per action, protocols started requesting unlimited approvals upfront. Reasonable UX tradeoff in 2020. Today, with more sophisticated attackers and higher TVL, it is a significant risk most users do not know they carry.

How wallet drainers exploit approvals

The attack is straightforward:

1. You interact with a legitimate-looking dApp (fake airdrop, copied DEX, phishing site).
2. The dApp asks for an approval. The UI shows a token name. The spender is the attacker’s drainer contract.
3. You approve. The transaction looks routine.
4. The drainer calls transferFrom(yourWallet, attackerWallet, maxUint256) and empties your balance.

The drainer does not need your private key. It just needs the approval you already gave.

How to check your current approvals

Web3defender’s approval scanner reads your on-chain allowances and flags:

• Unlimited approvals (amount = MAX_UINT256)
• Approvals to unverified or recently deployed contracts
• Approvals that have not been used in months (stale)
• Approvals to contracts on the GoPlus malicious-contract list

The scanner covers Ethereum, BSC, Polygon, Arbitrum, and Base.

How to revoke approvals

1. Open Web3defender approvals or use revoke.cash.
2. Connect your wallet.
3. Select the approvals you want to remove.
4. Sign a revoke transaction (one per approval, costs gas).

If a contract you approved has been exploited, move the tokens to a fresh wallet before revoking. Once the tokens leave your address, the unlimited approval is worthless to the attacker.

Best practices going forward

• Approve exact amounts. Some dApps have a “custom amount” field. Use it.
• Use EIP-2612 permit where available. Permit is an off-chain signature that expires. No permanent on-chain allowance.
• Revoke after each session for high-value tokens like USDC, WETH, and USDT.
• Check new dApps in Web3defender before approving anything. A phishing URL looks identical to the real site.
• Use a separate hot wallet for DeFi interactions. Keep long-term holdings in a cold wallet that never signs approvals.

The difference between approval and permit

	Approval (approve)	Permit (EIP-2612)
On-chain?	Yes, costs gas	No, off-chain signature
Persists?	Until revoked	Until expiry or use
Risk	Permanent until you act	Expires automatically
Available on	All ERC-20 tokens	Tokens that implement EIP-2612

USDC, DAI, and WETH support permit. If the dApp supports it, prefer permit.

---

FAQ

Does revoking approvals cost gas? Yes. Each revocation is a transaction. On Ethereum mainnet: $2-$10 depending on gas prices. On BSC or Polygon: under $0.10.

If I have an unlimited approval but the contract is audited, am I safe? No. Audits reduce risk but do not eliminate it. A contract can be exploited through a bug the audit missed. Limiting approvals is always safer than relying on audit quality.

What if I already got drained? Can I recover? Funds sent through a token approval are typically unrecoverable. The transaction is valid and irreversible. Report to local authorities and the protocol team. Revoke all remaining approvals immediately to prevent further loss.

Can a dApp drain tokens I never approved? No. A contract can only move tokens you explicitly approved. Draining native ETH or BNB requires a different attack: a malicious contract call that transfers value directly, not via transferFrom.