Web3 Development

Token Approvals and Revocation: How Can Developers Make dApps Safer?

December 14, 2023 No comments yet

As we track major hacks like those at Poloniex, Huobi (HTX), and KyberSwap, where millions of dollars were stolen, it’s important to note that smaller hacks occur daily, adding up to thousands each month. You can read about them on Twitter, in Discord, and in Telegram chats. These incidents often share a common thread — the victim unknowingly approved a token transfer and then forgot about it.

What is the approve function in ERC-20 and ERC-721 token standards? What hidden dangers do token approvals present? How do hackers exploit these vulnerabilities, and how can we mitigate these risks? We explained everything step by step.

What is the Approve Function?

Looking for a definition of token approvals a.k.a. token allowances? Read right on.

The first thing you should know is that your wallet doesn’t store your tokens. They are stored in their smart contracts. For instance, the LINK ERC-20 smart contract acts as a database, holding all the token owner addresses and their balances.

Transferring tokens to another address involves invoking the specific Transfer function in the token’s smart contract. This updates its database by decreasing your balance by X amount and increasing the recipient’s balance by the same amount.

Other smart contracts can’t directly call the Transfer function on your behalf. When you want to provide liquidity or to swap LINK for USDT, the DEX contract will ask you for permission to initiate the token transfer via the Approval mechanism. Signing the approval request means you give a specific smart contract permission to spend a certain amount of your tokens at any time, indicating your consent.

So, what are token approvals? The Approve function is the backbone of automated decentralized finance, and, unfortunately, it’s also at the center of countless draining incidents. While legitimate contracts use token approvals to function as intended, malicious ones trick users into approving the withdrawal of all valuable tokens and NFTs, effectively draining the wallet.

How Approval Function-Based Hacks Operate

Since 2020, over 100,000 addresses have fallen victim to Inferno drainer attacks, costing a total of $71 million. Most of these attacks were using Approval to drain the funds.

Certain incidents have gained notoriety; for example, an NFT collector known as StockEd lost $300,000 simply by clicking a malicious link, connecting their wallet, and signing an approval request.

There are three common vectors for such attacks:

  1. To trick the victim into connecting their wallet and signing the approval transaction, which then allows the attackers to drain the wallet.
  2. To hack a DeFi project that collected many signed approval transactions, then drain the connected wallets.
  3. To launch a real protocol with safe smart contracts, then upgrade the contracts to add draining functions and steal funds from connected wallets.

The attackers are getting creative with hiding the approval transactions. For example, in StockEd’s case, the drainer put the malicious transaction in Metamask’s buffer and the victim signed it long after he connected the wallet to the scam website. In other cases, scammers purposely ignore ERCs designed to preview the proposed transaction in human-readable code instead of byte code, so the user can’t understand what exactly he signs.

This is why the importance of revoking token approvals is ultimate, and there are multiple ways to mitigate the risks of token approvals.

Read about the Ethereum restaking in our blog.

How Can Users Defend Their Funds?

Here you will find out how to revoke token approvals.

First, be careful with approval transactions. Always read the transaction you are ready to sign in your wallet. Metamask has become more secure with recent updates, including the introduction of malicious transaction detectors, but it’s still wise to read and verify everything yourself.

Second, learn how to use your wallet. Popular wallets, such as Binance Web3 Wallet, enable users to view and revoke current approvals as a precaution.

Third, there are specialized services to revoke approvals. E.g. Revoke.cash is designed to view and manage current approvals. If you suspect that any protocols you use have been compromised, it’s prudent to revoke token approval as a safety measure.

Fourth, you can manually edit transactions. If a dApp requests you to sign for unlimited approval, you have the option to modify the token quantity, permitting withdrawal of only the amount necessary for the transaction. Major protocols like Uniswap and Aave request limited approval, while new protocols are more likely to propose signing a dangerous unlimited one.

Fifth, you have to be careful with dApps that use upgradable contracts. Those are the contracts whose code can be changed by developers later. Malicious devs can implement the code that will exploit the unlimited allowances users gave them.

Sixth, create a separate wallet for working with fresh dApps to not put all of your holdings at risk. It’s a safety measure that helps protect your primary holdings by isolating them from potential risks associated with untested or less secure platforms.

How Can Developers Make their dApps Safer?

There are two main and two secondary steps for defense.

  1. Go for an independent security audit. Sometimes hackers can get unauthorized access to private functions and exploit granted approvals.
  2. Implement the limited approvals. Ensure the contract asks only for the quantity of tokens it will use, rather than requesting unlimited approval. Even if the contract administrator key gets compromised, at least the users’ losses will be limited.
  3. A rarely used but existing feature is a separate button to revoke all previously signed approvals. Many users don’t know that disconnecting their wallet from the dApp won’t cancel the approvals, and the dedicated button might do the thing.
  4. Freeze function — quite a radical method that goes against the decentralization and permissionless narrative. Tether added the Freeze function to its USDT contracts, so they can freeze the stablecoins stolen from other protocols or transfered to the wrong addresses. The user can request a revoked transaction and Tether will burn the lost USDT and then refund the user with freshly minted stablecoins minus the fee. Despite its usefulness, this token revocation approach is far from the principles of decentralization and can potentially scare users away from a new DeFi protocol.

Conclusion

Although approval attacks are quite common, they remain largely unknown to the general public. This is a kind of attack that is very hard to cope with in code, as the hackers create their wallet drainers or hijack protocols to exploit the approvals.

Despite DeFi’s innovative tools and practices, navigating this space requires caution. The “approve” function, crucial for seamless token interactions, can be exploited by malicious actors if not understood. This article explored the “approve” function, its vulnerabilities, and user mitigation methods like transaction review and separate wallets for untested dApps.

The DeFi ecosystem evolution involves security innovations like independent audits and limited token approvals. However, striking a balance is key. The future of DeFi security likely involves innovative off-chain solutions and a more user-friendly experience. Stay informed and leverage Dexola’s resources to navigate DeFi securely.

At Dexola we believe that with thorough audits, best practices of token approvals, and limited approval mechanisms, we can make DeFi safer. By continuously educating users about potential risks, we can increase awareness of unlimited approvals and leave hackers without their ‘bread and butter.

Want to know how Dexola can help you with smart contracts developers hire and the technical discovery phase in Web3? Contact us today.

CTO/Co-founder at Dexola

As the CTO and co-founder of Dexola, I lead a team of over 30 highly qualified developers delivering cutting-edge solutions for blockchain, DeFi, and AI projects. Dexola is the result of a strategic partnership with Trinetix Inc., an enterprise-level outsourcing company.

With over 15 years of experience in software engineering, data science, and business analysis, my mission is to empower clients with innovative and secure solutions. I am passionate about exploring new possibilities and challenges in this rapidly evolving field of Web3.

Key Areas of Expertise:

- Web3 Solutions: Leading the development of next-generation decentralized applications and platforms.
- AI and Machine Learning: Expanding artificial intelligence to strengthen blockchain and Web3 projects.
- Business Strategy: Combining technical expertise with strategic insights to drive business growth and innovation.

My dedication to advancing technology and my ability to lead and inspire people help our clients achieve their ambitious goals. My work continues to push the boundaries of what's possible, setting new standards for innovation and security in the industry.

Continue reading

Web3 Development

Decoding WorldCoin: Is Proof of Personhood the Future of Security?

May 24, 2024 No comments yet

In the digital age, secure authentication is crucial for keeping the online world safe. Traditional methods like passwords and two-factor authentication often fall short in protecting users from cyber-attacks and identity theft. This has led to the exploration of new approaches, including Proof of Personhood (PoP). What is Proof of Personhood? As AI continues to […]

Web3 Development

Inside Ethereum’s Denсun Upgrade: What It Means and Why It Matters

May 1, 2024 No comments yet

The Ethereum Dencun upgrade, a blend of the Deneb and Cancun upgrades, represents Ethereum’s initiative to strengthen its framework and resolve issues following the Shanghai upgrade. The Dencun upgrade went live on March 13, 2024, pushing the price of Ethereum (ETH) up to $4000. This latest enhancement stands out as it’s designed to directly elevate […]

Web3 Development

What is Account Abstraction? Real Use Case of ERC-6551 Token Standard

April 12, 2024 No comments yet

Account Abstraction, popularized by the ERC-4337 token standard, introduces the innovative idea of utilizing a dedicated smart contract as a standalone wallet managed by an ordinary address. Initially, Ethereum Account Abstraction (or AA) was designed to facilitate transactions without the end user paying gas fees directly, utilizing entities called paymasters to cover these costs. However, […]