What is a malicious token approval?
Does this article need to be translated?
In our What is a token approval? article, we discussed how token approvals work. Essentially, they are among the most common types of transactions you will encounter, granting a dapp permission to access and move specific tokens from your wallet.
While these are necessary for many reputable dapps, itâs important to exercise cautionâmalicious token approvals tend to be a common attack vector for scams.
A malicious token approval involves giving a bad dapp or smart contract excessive or dangerous permissions, often leading to unauthorized access to spending and using your tokens. These approvals are typically done unaware on your part, engineered by malicious actors (scammers) to exploit usersâ trust or lack of understanding of the approval process.
In many cases, the malicious approval involves granting unlimited token access, which allows the dapp to spend all your tokens, making it easier for scammers to drain your account.
As we covered in this blog:
âAccess requests from dapps can vary from specific, limited quantities right through to being completely uncapped, where the smart contract can draw as much as it wants from your wallet. Fundamentally, unlimited access is not a problem or red flag in itself â many reputable platforms such as major DEXs do this in order to spare you the pain of frequently re-approving if you use the dapp regularly. The problem comes with dapps that request unlimited access to your token(s) with the express intention of stealing.â
Itâs important to research the dappâs credentials and know itâs trustworthy before granting access to all your tokens.
How to avoid malicious token approvalsâ
There are multiple ways scammers stand out, and you can avoid harm by learning some of their telltale signs:
- Urgent demands: Using time pressure to create urgency with deadlines or cut-off dates
- FOMO: Promising unrealistic returns, airdrops, or allowlisting
- Impersonation: Mimicking well-known protocols, projects, and people
- Rough around the edges: Poor grammar, web design, or unprofessional branding generally
- Unexpected messaging: Requests for money, excessive enthusiasm, and desperation for your involvement
Always remember: if something seems to be good to be true, it probably is.
How to remove a malicious token requestâ
If you believe youâve approved a malicious token request, act quickly to revoke access. Thereâs not much you can do if your wallet is already drained, unfortunately, but if you catch it in time, you may be able to prevent further damage.
You can revoke access directly in MetaMask Portfolio, where you can review existing approvals and revoke any unwanted approvals:
For more information on using other platforms to revoke access, refer to this article. Itâs good wallet hygiene in general to regularly check your approvals and revoke any that are unnecessary or potentially harmful.
Malicious token approvals are a significant risk in web3, but with the right knowledge and tools, you can protect your assets. Always be vigilant when interacting with dapps, double-check permissions, and regularly review your token approvals to ensure your security.