Passa al contenuto principale

What is a malicious token approval?

Does this article need to be translated?

Contribute to the Help Center

Submit translations, corrections, and suggestions on GitHub, or reach out on our Community forums.

In our What is a token approval? article, we discussed how token approvals work. Essentially, they are among the most common types of transactions you will encounter, granting a dapp permission to access and move specific tokens from your wallet.

While these are necessary for many reputable dapps, it’s important to exercise caution—malicious token approvals tend to be a common attack vector for scams.

A malicious token approval involves giving a bad dapp or smart contract excessive or dangerous permissions, often leading to unauthorized access to spending and using your tokens. These approvals are typically done unaware on your part, engineered by malicious actors (scammers) to exploit users’ trust or lack of understanding of the approval process.

In many cases, the malicious approval involves granting unlimited token access, which allows the dapp to spend all your tokens, making it easier for scammers to drain your account.

As we covered in this blog:

“Access requests from dapps can vary from specific, limited quantities right through to being completely uncapped, where the smart contract can draw as much as it wants from your wallet. Fundamentally, unlimited access is not a problem or red flag in itself – many reputable platforms such as major DEXs do this in order to spare you the pain of frequently re-approving if you use the dapp regularly. The problem comes with dapps that request unlimited access to your token(s) with the express intention of stealing.”

It’s important to research the dapp’s credentials and know it’s trustworthy before granting access to all your tokens.

How to avoid malicious token approvals

There are multiple ways scammers stand out, and you can avoid harm by learning some of their telltale signs:

  • Urgent demands: Using time pressure to create urgency with deadlines or cut-off dates
  • FOMO: Promising unrealistic returns, airdrops, or allowlisting
  • Impersonation: Mimicking well-known protocols, projects, and people
  • Rough around the edges: Poor grammar, web design, or unprofessional branding generally
  • Unexpected messaging: Requests for money, excessive enthusiasm, and desperation for your involvement
warning

Always remember: if something seems to be good to be true, it probably is.

How to remove a malicious token request

If you believe you’ve approved a malicious token request, act quickly to revoke access. There’s not much you can do if your wallet is already drained, unfortunately, but if you catch it in time, you may be able to prevent further damage.

You can revoke access directly in MetaMask Portfolio, where you can review existing approvals and revoke any unwanted approvals:



mancia

For more information on using other platforms to revoke access, refer to this article. It’s good wallet hygiene in general to regularly check your approvals and revoke any that are unnecessary or potentially harmful.

Malicious token approvals are a significant risk in web3, but with the right knowledge and tools, you can protect your assets. Always be vigilant when interacting with dapps, double-check permissions, and regularly review your token approvals to ensure your security.