Token Approvals

Self Custody of funds is a scary reality one must come to terms with if they wish to dabble in the world of cryptocurrency. Realizing that you must give contracts permission to access and move your funds may be even scarier for new users. Your common sense along with arming yourself with knowledge and understanding of how things work is your best defense against potentially losing some or all of your funds, whether it be maliciously or by your own mistake. In this article we will cover one of the most important aspects of interacting with decentralized applications : token approvals. We will cover what they are, their function, potential risks associated with approvals, as well as ending on how to mitigate these risks by managing your outstanding approvals, and setting a custom spend amount.

What is a Token Approval?

If you have tried to do any staking or swap tokens on a dex (decentralized exchange), you may have already experienced the need to send a token approval transaction. So what exactly was this transaction? When you send an approval transaction you are granting permission to the smart contract, for the ability to move a certain type of asset (USDC, UNI, WETH, etc.) on your behalf. Think of it as when you perform a swap, you are not sending your tokens to the contract but rather the contract reaching into your wallet and taking the required number of those tokens to spend on your behalf.

What is the purpose of them?

At the time of writing, most every token you swap for on Ethereum will be an ERC20 token. Built within the ERC20 standard is an ‘approve’ function which sets the ‘allowance’ (number of tokens) that the ‘spender’ (in our example the smart contract of the decentralized exchange) can spend on behalf of the ‘owner’ (your wallet address). The purpose of this being, since the smart contract does not hold the tokens on your behalf, without you explicitly giving it permission to access the token from your wallet, it would not have the ability to perform a swap. Another purpose is that it also acts as a bit of security in two ways. Firstly that with no approval, the smart contract can not access any tokens from your wallet — I’m sure you can see how it would be plain idiotic if every address had access to every other addresses assets. But more importantly, is that you the owner can set the allowance (amount of the token) that the smart contract is allowed to spend at the time of the token approval transaction, we will cover how you do this a bit further into the article.

Disclaimer: Moving forward I will be showing these processes using MetaMask. If you are not using MetaMask, don’t worry as this will be standard across all wallets but the user interface will look different from what I have shown.

Sending a Token Approval Transaction

For our example we will be swapping some DAI on Curves exchange. We will try to swap some DAI to USDC and lets look into the approval transaction MetaMask presents us with below. I have numbered the sections we will focus on for now.

Figure1

Figure2

1. This is the url of the site you are interacting with. Always ensure that this url is correct, and not for example something like curve.fi.com. It is easy to bookmark the sites you trust, but a glance at this could save you from a malicious contract, if ever the front end has been compromised.
2. Ensure this is the token you plan on using, incase you were switching tokens around on the user interface, or may have mistakenly initiated a transaction for another token. Remember MetaMask transactions will sit in the background until you either select to submit the transaction or press reject.
3. This is the address of the smart contract you will be giving permission to. It’s good practice to click the explore button next to the address and check to see it is an official curve contract. You can also see the recent transactions, which for an exchange like curve will be plenty and often.
4. This is where you will go to edit the ‘allowance’ of the approval transaction. We will cover this in depth later in this article.
5. This link will also bring you to the edit allowance page, like number 4 above.
6. This field shows you the default ‘allowance’ amount that you are permitting the contract to spend on your behalf. Be aware that how much of a token you own has no bearing on the approval transaction. Notice how the allowance the contract is requesting is by default very large, even if we only have 500 DAI we can give the contract permission to spend up to what is basically infinity.
7. This is the contract we are granting the permission to, same as field 3.
8. Here under the data field, we can see which function is being called in the transaction, in our example it says approve, showing this is an approval transaction.

Manually Setting the Allowance Amount

Above we see that by default the contract will get permission to spend a massive amount of DAI. This is what’s known as an infinite approval. This means that each time you navigate over to curve to swap DAI you will not need to send another approval, as it already has approval for this huge amount. At the time of our example, the approval transaction would have costed up to $5.88 to send. If you are doing large quantities of swaps, the infinite approval could save you money on gas fees, but unless its a contract you have great trust in, and nothing goes wrong, infinite approvals could be problematic. This is especially true as time goes on, and you may have infinite approvals granted to many contracts, some of which you may only use once. This is where manually setting the allowance will come in to save you.

Lets go over manually setting an approval limit using Figure 3 below.

Figure 3

After initiating the swap on curve, you will be presented with the Metamask transaction screen as shown in figure 1 and 2. To set the token allowance manually, you will need to either click the ‘edit permission’ link depicted by number 4 in figure 1 or the ‘edit’ link depicted by number 5 in figure 2, remember both of these take you to the same page so you may click either one. You will then be presented with the page shown in figure 3, let’s go through this page from top to bottom. We see by the title that this is the ‘Edit Permission’ page, below that it shows us which Metamask wallet we are currently using, this may be helpful if you have generated more than 1 wallet and switch between them. To the right of the wallet name, it shows us the current balance of the token we are attempting to spend. The next section tells us that this transaction will give curve permission to withdraw and spend the following amount, which we will decide below. When you enter this screen, by default the first option labeled ‘ Proposed Approval Limit’ will be selected. Notice how the value curve is requesting has 59 decimal places, we certainly don’t need that amount and by good practice should not give every contract we interact with endless access to our tokens. To set the custom spend limit, you will check the radio button that says ‘Custom Spend Limit’. Then we will enter the amount we are swapping, in this example I wish to swap 500 DAI, so I have entered 500 into the input box. This ensures that curve can only withdraw and spend 500 DAI and no more. After that, hit the save button and you will be returned back to the transaction screen, from there you can then send off the transaction. That is how you set a custom spend limit whenever you are presented with a token approval transaction.

Managing Your Outstanding Token Approvals

Once you have spent some time in crypto, you will inevitably have outstanding token approvals to many contracts, especially if you were not setting limits from the beginning. Here we will cover how to easily view and remove these approvals. It’s good practice to remove old approvals from contracts you may not use often.

Etherscan is a very helpful tool for viewing on chain activity, you can view balances, transactions, contracts etc.. They also have a tool for viewing any approvals tied to an account/address. To view your outstanding approvals, you will want to navigate over to etherscan.io/tokenapprovalchecker. I’ve included the link here for you, but as with anything crypto, especially when connecting your wallet, ensure you are on the legitimate page and you trust the source.

Figure 4

Connecting: Upon navigating to the link, at the top of the page you will see what I have attached as figure 4. You can either search by wallet address, or you can choose to Connect to Web3, by the button below the search bar. I prefer to view my approvals by connecting to web3 as if there are any approvals I want to remove, I can then initiate the removal transaction right from this page. You will need to connect this way if you wish to remove any approvals and not only view them.

Figure 5

At Risk: After connecting your wallet, Etherscan will add up your approvals and show you what amount of your current funds or nfts are at risk. The term ‘at risk’ is used because the contracts currently have permission to remove funds from your wallet, meaning if the contract was somehow compromised and initiated a withdrawal from your wallet, those funds could be taken without you knowing about it. You would only find out after checking your balance or transactions with your wallet on etherscan. Note: The at risk value you see is just based on your wallets current contents at the time. So if you have an infinite approval to curve for DAI and have 100 DAI in your wallet, your at risk value will be shown as 100 even though theoretically it is infinite, the at risk value will increase then as more DAI is added to the wallet.

Figure 6

Revoking: Revoking approvals through this tool is nice and simple. Referring to Figure 6, Etherscan lays out the important information regarding our approvals. First they show you the token the approval is for, in my example we see the approval is for Wrapped Ether (WETH). The next column shows the contract the approval was granted to, in Figure 6 we see it was given to Uniswap V3: Router 2. Sometimes the contract name is not as descriptive, so you can click on the contract and it will take you to the contract page itself. The last piece of information presented is the amount the approval was for. We see that this approval was for unlimited WETH, if the approval was not for an infinite amount, the amount would be shown there instead of ‘unlimited’. This approval grants permission to Uniswap V3 to access all the WETH in my wallet at any given time, for the rest of time or until the permission is revoked. To revoke this permission, it is as simple as clicking the revoke button to the right of the shown approval. Metamask will then pop up with the permission removal transaction, just accept the transaction and the permission will be removed once the transaction has been confirmed on chain.

Figure 7

*Important Note* By default, this Etherscan tool will only show approvals for tokens which you currently have a balance greater than zero for. Be sure to find the toggle button from Figure 7 above, on the upper right hand corner of the token approvals page to see all your current outstanding token approvals. Otherwise you may miss some outstanding infinite approvals or old approvals if you don’t currently have the token in the wallet.

Mitigating Risk

Doing anything on chain will more likely than not require you to grant token approvals and lots of them. This does pose a risk to your funds especially if dealing with more ‘sketchy’ contracts. But you do not need to subject yourself to the risk of all your funds, all the time to these contracts. By now you probably see that the 2 major things we can do to lessen the risk, only grant permission for the amount you intend to swap. If you want to swap 500 of a stable coin, or swap for 5 eth worth of a token, then set those custom values, it only takes a couple seconds. The second thing to do is to stay on top of your approvals, time passes and we forget, but its good practice to periodically check and remove any approvals you may not need anymore, especially if they were for the default infinite amount. To get started in crypto, there is much to learn and even more you must learn to keep yourself safe. This may seem daunting at first but will quickly become second nature the more time you spend here. In the case of a black swan event, by following these steps you can feel relief knowing you took the necessary precautions instead of the dread of checking if your funds are safe.

GetBig is a cartoonish character with a unique and colorful personality. GetBig is known for his bright and cheerful disposition, and is always ready for an adventure. He is also known for his distinctive feature, his rainbow-colored teeth that sparkle and shine. He is a curious and playful character, always eager to explore and learn new things. He is also a loyal friend and is always there for his friends. GetBigs's rainbow teeth have become his trademark and his fans love him for his unique look and fun-loving attitude. He is a character that appeals to all ages and is loved by many.