Every time you swap tokens on Uniswap, PancakeSwap, or any decentralized exchange, you sign a transaction that most people never think about: a token approval. This approval grants the DEX's smart contract permission to access your tokens. It is necessary for the swap to work. But it is also one of the most exploited attack vectors in all of crypto.

The problem is not the approval itself — it is the scope. Most DEX interfaces request unlimited approval: permission for the contract to spend any amount of your tokens, at any time, forever. If that contract is later compromised, or if you approved a malicious contract by mistake, your entire balance can be drained without any additional confirmation from you.

How Token Approvals Work

On EVM chains (Ethereum, BSC, Base, Arbitrum, etc.), the ERC-20 token standard includes an approve() function. When you call this function, you tell the token contract: "Allow this specific address to spend up to this specific amount of my tokens."

The key word is "up to." When a DEX requests unlimited approval, the amount is set to the maximum possible value — effectively infinite. This means the approved contract can transfer any number of your tokens at any point in the future, without needing your signature again.

Why unlimited approvals exist

The reason DEXes request unlimited approval is convenience. If you approved only the exact amount for each swap, you would need to sign two transactions every single time — one for approval, one for the swap. Unlimited approval means you only approve once per token per DEX, and every subsequent swap requires only one transaction.

This convenience comes at a cost: a permanent, open-ended permission that can be exploited.

How Approval Exploits Work

Phishing site approval

The most common attack. You visit a website that mimics a legitimate DEX or DeFi protocol. It looks identical — same layout, same colors, same logo — but the URL is slightly different. When you "swap" on this fake site, the approval transaction grants access not to the real DEX contract, but to a drain contract controlled by the attacker. Once approved, the drain contract takes everything.

This is the primary mechanism behind airdrop scam websites — the "claim" button is actually an approval request for a drain contract.

Compromised legitimate protocol

Even approvals granted to legitimate protocols can become dangerous. If a DeFi protocol's smart contract has a vulnerability and gets hacked, the attacker gains access to every wallet that ever approved that contract. Your old approval from a swap you did 6 months ago becomes the attack vector.

This has happened multiple times in DeFi history. Protocols with millions of dollars in TVL have been exploited through approval-based attacks, affecting users who interacted with the protocol weeks or months before the hack.

Hidden approval in token interaction

Some malicious tokens embed approval requests in their transfer function. When you attempt to sell the token on a DEX, the transaction includes a hidden approval for a separate drain contract. You think you are selling a token; you are also approving a contract that will drain your USDT, ETH, or other valuable tokens later.

Approvals persist forever An approval you granted a year ago is still active today. The contract can use it at any time. There is no expiration. The only way to remove it is to explicitly revoke it through a separate on-chain transaction.

How to Audit and Revoke Approvals

Step 1: Go to Revoke.cash

Visit Revoke.cash — the most trusted tool for managing token approvals. It is free, open source, and works across all major EVM chains.

Step 2: Connect your wallet

Connect the wallet you want to audit. Revoke.cash will scan all your token approvals across the selected network.

Step 3: Review each approval

You will see a list of every contract you have ever approved, along with the approved amount and the token. Look for:

  • Contracts you do not recognize — revoke immediately
  • Unlimited approvals to DEXes you no longer use — revoke
  • Approvals to contracts with no name or label — likely phishing, revoke
  • Old approvals from months or years ago — revoke unless actively used

Step 4: Revoke dangerous approvals

Click "Revoke" next to each approval you want to remove. Each revocation is an on-chain transaction that costs a small gas fee. Prioritize revoking approvals for your most valuable tokens first.

Step 5: Repeat monthly

New approvals accumulate with every DeFi interaction. Make approval auditing a regular habit — once a month is a reasonable frequency for active traders.

Best Practices for Approval Safety

  1. Use limited approvals when possible. Some wallets (like Rabby) offer the option to approve only the exact amount needed for each swap. This eliminates the unlimited approval risk entirely.
  2. Revoke after large transactions. After selling a significant position, revoke the approval for that token. You can always re-approve if you need to trade again.
  3. Separate your wallets. Use a dedicated trading wallet with limited funds for interacting with new contracts. Keep your main holdings in a wallet that never approves unknown contracts.
  4. Verify URLs carefully. Before approving any transaction, verify the website URL matches the official protocol. Bookmark legitimate sites and use those bookmarks instead of clicking links.
  5. Read approval requests. Before confirming any transaction, check what you are approving: which token, which contract, what amount. If anything looks unexpected, reject it.

How to Avoid Approval Exploits

  1. Audit approvals regularly with Revoke.cash — free, works on all EVM chains.
  2. Scan tokens before interacting. Use RugCheck, Honeypot.is, or TokenSniffer to verify tokens are not malicious before any transaction.
  3. Never approve on unfamiliar websites. If you are not 100% certain a site is legitimate, do not sign any transaction.
  4. Use limited approvals. Approve only the amount you need, not unlimited.
Scan Tokens Before Approving with ChainLens GoPlus detects approval_abuse patterns in smart contracts. Know whether a token's contract is dangerous before you interact. Free.

Frequently Asked Questions

What is a token approval in crypto?

A token approval is a permission you grant to a smart contract to spend your tokens on your behalf. Every DEX swap requires one. The danger is that most approvals are unlimited — the contract can spend any amount, forever, unless you explicitly revoke.

How do I revoke token approvals?

Use Revoke.cash — connect your wallet, review all active approvals, and revoke any you do not recognize. This costs a small gas fee per revocation. Audit your approvals monthly on every chain you use.