How to Manage Smart Contract Allowances to Reduce DeFi Risk and Increase Crypto Security

By  Noah Washington October 18, 2023

Image for How to Manage Smart Contract Allowances to Reduce DeFi Risk and Increase Crypto Security


  • In the fast-paced world of crypto and blockchain, smart contracts have revolutionized the way transactions are conducted
  • Unauthorized funds access to occurs when unrevoked allowances are left active without regular review, allowing malicious actors to transfer or spend tokens
  • Unrevoked allowances create opportunities for malicious activities such as draining token balances, manipulating transactions and engaging in fraudulent activities
  • It's important to periodically review and assess the relevance of granted allowances, revoking any that are no longer necessary

In the fast-paced world of crypto and blockchain, smart contracts have revolutionized the way transactions are conducted. "Smart contract allowances," also known as "token approvals," grant specific contracts permission to access and transfer user tokens.

While these allowances are convenient for seamless interactions between different contracts, it is also important to understand how to safely revoke them. This article will provide guidance on how users can safeguard crypto holdings by revoking smart contract allowances.

Understanding Smart Contract Allowances/Token Approvals

Smart contract allowances refer to the permissions given by token holders to specific contracts, allowing them to spend or transfer tokens on the holder's behalf. Some of these allowances are a requirement for various dapps and token-related activities such as selling a non-fungible token (NFT) on OpenSea.

An example permission notification from MetaMask wallet. Source: StackExchange

When using a decentralized exchange (DEX), users grant permission for the exchange contract to handle tokens during trades. Examples of common smart contract allowances include token transfers, token approvals for lending platforms and automatic investment features.

Risks of Unrevoked Smart Contract Allowances

When users leave allowances active without regular review, it opens the possibility of unauthorized access to tokens. If a malicious actor gains control of the contract holding user allowances, they can exploit the permissions to transfer or spend these tokens without users' knowledge or consent.

Unrevoked allowances can be exploited by malicious contracts or hackers, enabling them to drain token balances, manipulate transactions or engage in fraudulent activities. These risks can have a severe financial impact on holders and tarnish the reputation of blockchain networks.

Best Practices for Safely Revoking Smart Contract Allowances

Periodically reviewing contracts to which users have granted allowances and assessing relevance based on current usage patterns is extremely beneficial for users. Several tools and platforms assist in managing and monitoring smart contract allowances, and some popular options include the following: MetaMask , one of the most popular wallets, has recently introduced a feature that allows users to customize the number of tokens dapps can access, allowing them to be in charge.

To take advantage of this feature, users can follow these steps:

  • Respond to Access Request - While using MetaMask, the user may encounter a token access request. In the "Extension" version of MetaMask, a screen will ask the user to set a spending limit for the token. This user-friendly interface empowers the user to establish a desired token allowance instead of relying on the default amount proposed by the dapp.
  • Enter Amount - Next, the user must simply enter the amount with which they are comfortable with based on risk tolerance.
  • Review - The user may proceed to the next screen to review the limit.
  • Approve - Once the limit is reviewed, the user can click 'Approve' to finalize the process.

Revoke.Cash , which first entered the crypto scene in 2019, features the ability to revoke active token allowances that have been approved for any of the tokens inside a user's crypto wallet.

To revoke allowances, users can follow these steps:

  • Visit Revoke.Cash - Users should first visit the Revoke.Cash website and enter a wallet address.
  • Select the Allowance to Revoke - On the Revoke.Cash platform, the user must locate the list of token allowances, then select the specific allowance that they want to revoke by clicking on it.
  • Revoke - Once the user has chosen the allowance they wish to revoke, they must click on the ‘Revoke' button provided alongside the allowance details.
  • Metamask Pop-Up - A Metamask pop-up will appear in the user's browser window, after which they should ensure that they have the correct blockchain selected on the wallet.
  • Submission Confirmation - After signing the transaction, a confirmation pop-up will appear in the app the user is utilizing. This confirms that the revoke request has been successfully submitted.
  • Removal Confirmation - Once the transaction is confirmed on the blockchain, the allowance the user revoked will disappear from the Revoke.Cash platform. This indicates that the revocation process has been completed successfully.

Etherscan Token Approval , built by Etherscan, is a feature-rich platform that has recently introduced the ability to manage and control token allowances within associated Ethereum wallets. This tool presents an invaluable solution, empowering users to streamline token allowances and mitigate the chances of unauthorized access or mishandling of crypto holdings.

To take advantage of this tool, users can follow these steps:

  • Open the Token Approval Page - First, the user must visit the Etherscan website and navigate to the Token Approval page.
  • Enter Your Address - The user must then locate the search bar on the Token Approval page and enter their Ethereum address, then click the ‘search' button to proceed.
  • View Connected Smart Contracts - After performing the search, Etherscan will display a list of smart contracts connected to the user's address that have approval to spend on the user's behalf.
  • Connect Wallet - To proceed with the revocation process, the user must click on the

‘Connect to Web3' button to establish a connection between the wallet and Etherscan.

  • Revoke Smart Contract Approval - Once the user has successfully connected the wallet, they will see a list of connected smart contracts with respective approval statuses. To revoke the approval of a specific smart contract, the user must locate the corresponding ‘Revoke' button and click on it. Please note that users should only revoke the approval of the smart contract(s) that they wish to disconnect.
  • Confirm Revocation - After clicking the ‘Revoke' button, the user may be asked to confirm the revoke request. The user should review the details and proceed with the confirmation to revoke the approval of the selected smart contract.

Maintain More Control

By understanding the risks associated with unrevoked allowances and following the best security practices, cryptocurrency users can mitigate potential threats to tokens and maintain control over associated usage. The open and permissionless nature of blockchain also means putting some safeguards in place. Users should regularly review allowances, utilize dedicated tools for management and stay informed about contract upgrades and changes. By taking proactive measures, users can reduce DeFi and dapp risk, ensuring the safety and security of crypto holdings.