Token Approvals Are a Silent Liability. Here's How to Fix Them.
Every DeFi interaction you've done has left behind permissions that still exist today. The Badger DAO exploit drained $120 million not by breaking encryption, but by exploiting unlimited token approvals. Here's how to see and revoke your current approvals.
In December 2021, the Badger DAO protocol was exploited for approximately $120 million. The attacker didn't break any encryption or guess any private keys. They injected malicious script into the Badger frontend that prompted users to approve unlimited token spending. Users who had given the malicious contract approval had their funds drained automatically. The root problem wasn't the hack itself - it was that users had given unlimited, permanent approvals to contracts they no longer monitored.
This is the token approval problem. Every DeFi interaction you've ever done has left behind permissions that still exist today. If any of those contracts get exploited, your funds are at risk even if you stopped using the protocol years ago.
What a Token Approval Actually Is
The ERC-20 token standard (the technical specification most Ethereum tokens follow) includes a function called approve(). When you call this function, you're telling a smart contract that it has permission to move a certain amount of your tokens on your behalf.
When you use a DEX like Uniswap, you're not sending tokens directly to Uniswap. Instead, you first approve Uniswap's contract to access your tokens, then Uniswap's contract moves them according to the swap you requested. The approval is a separate on-chain transaction from the actual swap.
Here's where it gets dangerous: most protocols ask for an unlimited approval by default. Instead of approving exactly the amount you need for this specific transaction, they ask for type(uint256).max, which is essentially infinite. It's more convenient for users who want to make repeated transactions without re-approving every time. But it means the contract has permanent, unlimited access to that token in your wallet until you explicitly revoke it.
The Approval Persists After You Stop Using the Protocol
Real Exploits That Used Approval Mechanics
The Badger DAO exploit is the clearest example, but it's not the only one.
In a frontend compromise attack, an attacker gains access to a protocol's website and injects malicious JavaScript. When users visit the site, they're shown a transaction to approve. The transaction looks legitimate but actually grants approval to the attacker's contract. If users don't carefully read what they're signing, they approve the malicious contract and later find their tokens drained.
In a contract upgrade exploit, a protocol with upgradeable contracts (where admin keys can change the contract code) gets compromised. The attacker upgrades the contract to one that drains all approved tokens. Anyone who gave the original contract an unlimited approval now has those funds taken.
Approval phishing is increasingly common. Users receive fake emails, Discord messages, or social media posts directing them to “claim” tokens or participate in a new airdrop. The link goes to a phishing site that prompts an unlimited approval to an attacker's contract.
How to See Your Current Approvals
Most people have no idea how many active approvals they have. If you've used DeFi for any length of time, the number is probably more than you'd expect.
Revoke.cash
Revoke.cash is the most widely used free tool for viewing and revoking token approvals. It was built by Rosco Kalis and has been operating since 2020. Connect your wallet address (read-only - Revoke.cash doesn't need signing permission just to show you your approvals), and it displays every active approval across Ethereum and over 100 other EVM chains including Polygon, Arbitrum, Optimism, Base, and BNB Chain.
The dashboard shows you:
- Which contracts you've approved to spend your tokens
- How much they're approved for (the specific amount or “unlimited”)
- When the approval was last used
- Whether the approved contract has been flagged as malicious
Revoking an approval costs a small amount of gas. On Ethereum mainnet this can range from a few dollars to more during high-traffic periods. On L2 networks like Arbitrum or Base, revocations cost fractions of a cent.
Other Tools
Etherscan also has a Token Approval Checker at etherscan.io/tokenapprovalchecker. It's more basic than Revoke.cash but doesn't require connecting a wallet - you can just enter any address and see its approvals. DeBank (debank.com) shows approvals alongside your portfolio and protocol positions, which is useful for seeing context around what you're revoking.
How to Revoke Approvals: Step by Step
Go to revoke.cash
Visit revoke.cash in your browser. Make sure the URL is exactly revoke.cash - there are phishing copies of this site. The real site has no ads and never asks you to enter your seed phrase.
Connect your wallet or enter your address
You can connect your wallet to enable revocations, or just enter your wallet address in read-only mode to see what approvals exist without connecting anything.
Select the chain
Use the chain selector to switch between networks. Check Ethereum mainnet first, then any other chains you've used (Arbitrum, Polygon, Base, etc.).
Review the approval list
Look for unlimited approvals (shown as “Unlimited” in the amount column) and approvals to contracts you no longer use. Revoke.cash flags known malicious contracts in red.
Revoke what you don't need
Click the revoke button next to each approval you want to remove. Each revocation is a separate on-chain transaction that costs gas. Confirm in your wallet. On L2 networks, you can batch multiple revocations quickly for very low cost.
What to Prioritize Revoking
If you have dozens of approvals and want to prioritize, start with these:
- Unlimited approvals to contracts you haven't used in over 6 months
- Any approval Revoke.cash has flagged as high risk or malicious
- Approvals for tokens where you hold significant value
- Approvals to protocols that have had security incidents
- Any approval you don't recognize or can't remember granting
Active approvals to protocols you use regularly (like Uniswap for frequent traders) make sense to keep, but consider reducing the approval amount from “unlimited” to a specific amount you'd actually use.
Preventing the Problem Going Forward
Several wallet interfaces now let you set exact approval amounts instead of accepting the default unlimited approval. When a DeFi protocol prompts an approval, look for an “edit” or “custom” option in your wallet's approval screen.
MetaMask added a feature called “Set spending cap” that lets you enter a specific token amount when approving. If you're swapping 100 USDC, approve exactly 100 USDC rather than unlimited. The next time you use that protocol, you'll need to approve again, which adds a small amount of friction but eliminates the unlimited exposure.
The Rabby wallet (rabby.io) is designed with approval safety in mind. It shows you the risk implications of every transaction before you sign and automatically suggests exact amounts rather than unlimited approvals. Many DeFi-active users have switched from MetaMask to Rabby specifically because of this.
Set a Monthly Revocation Habit
NFT Approvals Work the Same Way
ERC-721 and ERC-1155 tokens (NFTs) have their own approval mechanism. When you list an NFT on OpenSea, you approve OpenSea's contract to transfer that NFT on your behalf. This is how NFT marketplaces work. But setApprovalForAll approves a contract to move every NFT in your wallet from a given collection, not just one specific token.
OpenSea phishing attacks have exploited this repeatedly. Attackers send fake emails or Discord messages about NFT drops that prompt victims to sign a setApprovalForAll transaction. Once signed, the attacker can transfer all NFTs in that collection. Revoke.cash handles NFT approvals too, shown in a separate section of the dashboard.