Open in app

Sign in

Write

Sign in

Reclaim Control: Revoking ERC20 Approvals with Solidity Execute

Tamaghna Chowdhury
7Finney
Published in
5 min readJun 9, 2023

Why unlimited approvals are bad?

  • Kyber Hack September 2022. Amount lost — $265,000
Kyber Network hack
  • LIFI hack March 2022. Amount lost $600,000
LiFi hack
  • Badger DAO hack December 2021.
BadgerDAO hack
  • SushiSwap hack April 2023. Amount lost $3.3M
SushiSwap hack

The list of hacks goes on and the bleeding user wallets on the histroy of blockscanners tells us why unlimited approvals are bad.

In this article, we’ll explore the dangers of granting infinite approval and introduce a powerful tool called Solidity Execute that allows developers to revoke ERC20 approvals, regaining control over their tokens.

Unlimited approvals in DeFi allow users to grant one-time permission to smart contracts, enabling smooth operation with their tokens without the need for repeated authorization. This approach aims to enhance the user experience by eliminating the hassle of approving each transaction individually. However, it is important to be aware of the potential risks and security implications associated with granting unlimited approvals.

In this article, we’ll explore the dangers of granting infinite approval and introduce a powerful tool called Solidity Execute that allows developers to revoke ERC20 approvals, regaining control over their tokens.

Revoking approval for any ERC20 token using Solidity execute

Solidity Execute is an easy-to-use smart contract interaction tool built to interact with smart contracts on any EVM based network like Ethereum, Polygon. In this section, we will revoke the approval of the ERC20 token from the malicious spender using solidity execute vscode extension.

Let’s start with compiling a ERC20 contract using Hardhat and get into Solidity Execute environment.

  • Install Solidity Execute
  • Create account
  • Select network, in this case Goerli Testnet
  • Compile ERC20 contract using Hardhat
Compile AnyERC20 contract using hardhat
  • Open Solidity Execute
  • Set deployed contract address of the token in <tokenContract>_deployed_address.json file.

For the demostration purpose, we are considering USDC stablecoin token contract deployed on Goerli Testnet.

0x07865c6E87B9F70255377e024ace6630C1Eaa37F

Open Solidity Execute | Select contract | Add contract address

Before going further let's check the USDC token balance on my address on Goerli Testnet. I have 5000000 USDC tokens available in my wallet.

Balance of Account 1

Now let’s check how much amount of token is approved to an individual spender.

We will call the allowance function and pass the owner and spender address as parameters in value field of the anyERC20_functions_input.json file.

It will show the result of approved tokens to the individual spender. In the below example, we have approved 3000000 tokens to spend to the 0x2825cdd52ea4485e560045825fe0e720bb36289e address.

Checking allowance of Account 2

Even though we have only approved the tokens and not signed any send transaction, a malicious actor can use a transferFrom() function to transfer the max approved amounts 3000000. All this without requiring any further approval from the actual token holders (i.e Account 1).

lets check the balance of the Account 2 in which we have approved 3000000 tokens to spend.

Balance of Account 2

Now let’s call the transferFrom function to transfer funds from Account 2

Caling transferFrom function

Let’s check the balance of Account 2 & Account 1 side by side.

Balance of Account 1 & 2 after calling transferFrom function

To revoke the approved amount using solidity execute we will make another approve call using the spender address and this time we will pass 0 as the approve amount. It will revoke the token spending permission from the malicious spender.

Again call the allowance function to check if the revoke process is successful or not. Now the malicious spender does not have access to spend our valuable USDC tokens.

Checking allowance after calling approve function

Conclusion

Granting unlimited approvals to DeFi contracts may appear convenient and alluring, but it exposes users to significant risks. These risks include the potential theft of tokens stored in personal wallets, as well as tokens that users may receive in the future.

Revoking unnecessary access becomes paramount to safeguarding one’s assets. Solidity Execute provides users with the necessary tools to exercise precise control over token approvals, ensuring flexibility and safety in managing their DeFi interactions.

Solidity Execute goes beyond empowering users with precise control over token approvals for ERC20 tokens. It serves as a comprehensive solution that facilitates seamless interaction with a wide range of DeFi protocols and enables efficient debugging of security-related smart contracts.

Additionally, it offers invaluable support for interacting with and debugging other security smart contracts, enhancing overall security and reliability in the decentralized ecosystem.

Why wait? Let’s start using Solidity Execute inside VSCode

Github | Marketplace | Website | Discord

Web3
Smart Contracts
Ethereum
Blockchain
Vscode

--

--

Tamaghna Chowdhury
7Finney

Written by Tamaghna Chowdhury

15 Followers
Editor for

ethcode.dev

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams