Learn about the token approval process when interacting with DApps, potential exploitation, and how to keep your ERC-20 tokens safe when using MetaMask.
In this short guide, you will learn:
- How token approval works
- How token approval can get exploited
- And how you can protect yourself against token approval hacks
How Token Approval Works
The approve() function needs two things: the address of the spender and the amount of tokens you want to let them use. For example, if Alice wants to let Bob use up to 100 tokens for her, she would call approve(Bob, 100).
The transferFrom() function checks that the spender has enough permission from the token owner, and that the token owner has enough tokens to move. If both things are true, it moves the tokens from the owner’s account to the receiver’s account, reduces the spender’s permission by the moved amount and makes a record of the transfer.
So what is infinite token approval?
Sometimes, the amount of tokens you approve is very large. This is like giving someone your credit card and telling them they can spend as much as they want with it. Some apps ask for this kind of approval because they don’t know how much tokens they will need to use for you in the future. You can also save gas fees by not having to approve every time. But this also means you can lose all of your tokens if this feature gets exploited.
How Token Approval Can Be Exploited
All ways of exploiting the approve () function have one thing in common: hackers trick you into giving them permission to use your tokens without you realizing it.
How To Protect Yourself From MetaMask Infinite Token Approval Exploits
- Always check the address and the amount of tokens you are approving before you confirm the transaction. Make sure you trust the project or app that is asking for your approval, and that you are using the correct website or app. Don’t click on any suspicious links or emails that claim to be from a legit project or app.
- Don’t approve an infinite amount of tokens unless you really need to. Some apps may ask you to approve an unlimited amount of tokens for convenience or gas saving reasons, but this also gives them the power to take all of your tokens at any time. If possible, approve only the amount of tokens that you need for a specific transaction or activity, and revoke or reduce the approval when you are done.
- Use tools and platforms that can help you review, revoke, or customize your token approvals. For example, you can use Etherscan’s Token Approval tool to see all the contracts and tokens that you have approved, and revoke any unnecessary or suspicious ones. Etherscan also has a good token approval explainer to view and change your token allowances for different contracts. These tools can help you manage your token approvals and keep them under control.
- Stay updated on the latest security news and alerts. For example, MetaMask published an explainer thread on the token approval feature:
By following these simple tips, you can stay safe from MetaMask infinite token approval exploits and enjoy web3 interactions.