Token Approvals and Revocation of Permissions: Decoding DeFi Security

As we track major hacks like those at Poloniex, Huobi (HTX), and KyberSwap, where millions of dollars were stolen, it’s important to note that smaller hacks occur daily, adding up to thousands each month. You can read about them on Twitter, in Discord, and in Telegram chats. These incidents often share a common thread — the victim unknowingly approved a token transfer and then forgot about it.

What is the approve function in ERC-20 and ERC-721 token standards? What hidden dangers does it present? How do hackers exploit these vulnerabilities, and how can we mitigate these risks? We explained everything step by step.

What is the Approve Function?

The first thing you should know is that your wallet doesn’t store your tokens. They are stored in their smart contracts. For instance, the LINK ERC-20 smart contract acts as a database, holding all the token owner addresses and their balances.

Transferring tokens to another address involves invoking the specific Transfer function in the token’s smart contract. This updates its database by decreasing your balance by X amount and increasing the recipient’s balance by the same amount.

Other smart contracts can’t directly call the Transfer function on your behalf. When you want to provide liquidity or to swap LINK for USDT, the DEX contract will ask you for permission to initiate the token transfer via the Approval mechanism. Signing the approval request means you give a specific smart contract permission to spend a certain amount of your tokens at any time, indicating your consent.

The Approve function is the backbone of automated decentralized finance, and, unfortunately, it’s also at the center of countless draining incidents. While legitimate contracts use approvals to function as intended, malicious ones trick users into approving the withdrawal of all valuable tokens and NFTs, effectively draining the wallet.

How Approval Function-Based Hacks Operate

Since 2020, over 100,000 addresses have fallen victim to Inferno drainer attacks, costing a total of $71 million. Most of these attacks were using Approval to drain the funds.

Certain incidents have gained notoriety; for example, an NFT collector known as StockEd lost $300,000 simply by clicking a malicious link, connecting their wallet, and signing an approval request.

There are three common vectors for such attacks:

1. To trick the victim into connecting their wallet and signing the approval transaction, which then allows the attackers to drain the wallet.
2. To hack a DeFi project that collected many signed approval transactions, then drain the connected wallets.
3. To launch a real protocol with safe smart contracts, then upgrade the contracts to add draining functions and steal funds from connected wallets.

The attackers are getting creative with hiding the approval transactions. For example, in StockEd’s case, the drainer put the malicious transaction in Metamask’s buffer and the victim signed it long after he connected the wallet to the scam website. In other cases, scammers purposely ignore ERCs designed to preview the proposed transaction in human-readable code instead of byte code, so the user can’t understand what exactly he signs.

How Can Users Defend Their Funds?

First, be careful with approval transactions. Always read the transaction you are ready to sign in your wallet. Metamask has become more secure with recent updates, including the introduction of malicious transaction detectors, but it’s still wise to read and verify everything yourself.

Second, learn how to use your wallet. Popular wallets, such as Binance Web3 Wallet, enable users to view and revoke current approvals as a precaution.

Third, there are specialized services to revoke approvals. E.g. Revoke.cash is designed to view and manage current approvals. If you suspect that any protocols you use have been compromised, it’s prudent to revoke any token approvals as a safety measure.

Fourth, you can manually edit transactions. If a dApp requests you to sign for unlimited approval, you have the option to modify the token quantity, permitting withdrawal of only the amount necessary for the transaction. Major protocols like Uniswap and Aave request limited approval, while new protocols are more likely to propose signing a dangerous unlimited one.

Fifth, you have to be careful with dApps that use upgradable contracts. Those are the contracts whose code can be changed by developers later. Malicious devs can implement the code that will exploit the unlimited allowances users gave them.

Sixth, create a separate wallet for working with fresh dApps to not put all of your holdings at risk. It’s a safety measure that helps protect your primary holdings by isolating them from potential risks associated with untested or less secure platforms.

How Can Developers Make their dApps Safer?

There are two main and two secondary steps for defense.

1. Go for an independent security audit. Sometimes hackers can get unauthorized access to private functions and exploit granted approvals.
2. Implement the limited approvals. Ensure the contract asks only for the quantity of tokens it will use, rather than requesting unlimited approval. Even if the contract administrator key gets compromised, at least the users’ losses will be limited.
3. A rarely used but existing feature is a separate button to revoke all previously signed approvals. Many users don’t know that disconnecting their wallet from the dApp won’t cancel the approvals, and the dedicated button might do the thing.
4. Freeze function — quite a radical method that goes against the decentralization and permissionless narrative. Tether added the Freeze function to its USDT contracts, so they can freeze the stablecoins stolen from other protocols or transfered to the wrong addresses. The user can request a revoked transaction and Tether will burn the lost USDT and then refund the user with freshly minted stablecoins minus the fee. Despite its usefulness, this approach is far from the principles of decentralization and can potentially scare users away from a new DeFi protocol.

Conclusion

Although approval attacks are quite common, they remain largely unknown to the general public. This is a kind of attack that is very hard to cope with in code, as the hackers create their wallet drainers or hijack protocols to exploit the approvals.

However, at Dexola we believe that with thorough audits and limited approval mechanisms, we can make DeFi safer. By continuously educating users about potential risks, we can increase awareness of unlimited approvals and leave hackers without their ‘bread and butter.