OpenSea users reportedly had over $1.7M worth of NFT assets stolen from them through a phishing attack, as users grant DApps smart contracts unlimited access to their wallets and funds.
Judging from the security crisis OpenSea has experienced in the last few weeks, it is clear that the NFT marketplace has had a torrid beginning to 2022. While trying to resolve a seemingly critical infrastructural flaw, the platform has inadvertently exposed users to other smart contract exploits. And like every smart contract security scandal witnessed so far, users have always been at the receiving end.
Therefore, the question is: How can the average decentralized app (DApp) user guard against losses incurred due to unforeseen smart contract hacks. Well, as noted by OpenSea, the best bet is to revoke token approvals such that dapps that you no longer trust would not be able to initiate tasks and transact your tokens on your behalf.
Bearing this in mind, we have created a comprehensive guide on how to revoke smart contract allowances or token approvals on MetaMask. However, before highlighting the steps involved, let us first discuss the importance of revoking token approvals and permissions.
Why Do You Need To Revoke Permissions And Token Approval?
One thing that the recent OpenSea crisis tells us is that decentralized apps, as impressive as they are, come with their own set of problems – the first being the high tendency of being hacked. The nascency of smart contract-enabled applications, coupled with the lack of industry standards, makes it a lot easier for hackers to capitalize on security loopholes.
Take the most recent OpenSea phishing attack as a case study. The attacker took advantage of several factors, including the planned upgrade to a new smart contract. Amid the rush by users to upgrade to the latest smart contract, the attacker was able to manipulate 17 users to sign malicious payloads. This allowed the bad actor to buy the victims’ NFTs for 0 ETH. What we learned from this unfortunate incident is that it is easy to be a victim of smart contract hacks, since we almost always grant DApps unlimited access to our wallets.
For instance, you must have granted OpenSea permissions to access, list and transfer the NFTs in your wallet before you can use the platform to trade NFTs. And so, whenever the smart contracts of DApps you have interacted with are under attack, chances are that the attackers can withdraw the tokens in your connected wallet. This is also why rug pulls are rampant in the crypto industry.
In light of this existing threat, it is imperative to occasionally review the smart contracts or DApps that have been authorized to conduct sensitive transactions on your behalf. You need to revoke the permissions granted to DApps you no longer trust or those undergoing smart contract upgrades. Also, it is always advisable to do the same to DApps that you have not used in a while. You can easily re-sign the permissions whenever you want to start using them again. Ultimately, this will limit the risks your wallet is exposed to at each given time.
Having highlighted the importance of constantly reviewing the number of DApps permitted to initiate sensitive actions on your behalf, below is how to revoke token approvals.
How To Revoke Token Approvals On MetaMask
We have tailored this guide for MetaMask users because it is arguably the most popular wallet service provider among DApp users. Also, revoking token approval comes at a cost. You will have to pay a gas fee to complete the process.
With that said, here are the steps you need to take to revoke token approvals or permissions.
- First, you should head to the block explorers for the DApp networks you usually utilize. For instance, Ethereum users should head to Etherscan, Polygon users to Polygonscan, while BSCscan is the ideal explorer for those using BSC-based dapps. In this guide, we will be focusing on Etherscan.
- On the Etherscan blockchain explorer, navigate to the Approval Checker section. Here is the link for the approval review portal for Etherscan.
- While at the approve checker page, click on Connect to Web3 to trigger the Choose a Wallet window. Here, choose the MetaMask option and follow the prompt to connect your wallet to the portal. Note that your MetaMask wallet must be online to connect successfully.
- Once you are connected, navigate through the Ethereum token standards tabs (including ERC-20, ERC721, and ERC-115) until you find the token approval you wish to revoke. For each token on your wallet, you will be able to see the smart contracts that have the approval to either access it or submit transactions on your behalf. You can select the specific approval you want to cancel from here.
- Next, click on Revoke to cancel the token approval. By doing so, you will trigger a signature request in your wallet. Approve this request and pay the appropriate gas fee to complete the process.
You can as well manage the approval of each token while interacting with dapps. This is possible when implementing certain actions or approving transactions on DApps. Rather than enabling unlimited spending limits when approving transactions, it is advisable to opt for a custom spending limit.
To do this, click on Edit Permission whenever your MetaMask wallet requests transaction approvals. Then, enter your desired spending limit in the Custom Spending Limit field. By doing so, the DApp in question can not access or transact above the amount you entered as your spending limit.
If you are using other wallets beside MetaMask, you can use token allowance services like Etherscan, Revoke.cash, Unrekt and more to approve or revoke smart contract permissions.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators.
This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice.
The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap.
