When interacting with a DEX (decentralised exchange), a Defi website or some other type of smart contract, it is a requirement to approve the spending of the specific token / coin. What this means is that you are giving permission to the service to manage your tokens in some way. In a lot of circumstances, this is normal and required (ensuring you have done your research on the service you are using). For example, if you want to swap between two tokens on Pancakeswap, you need to first approve the token you are swapping. This allows Pancakeswap to trade it for another token. These “allowances” do mean you can use the service at any time with ease and reduces the need to pay the gas fee for approval each time. Something to be aware of however, is that this allowance is normally requested as “Unlimited”. This means the service has access to spend all of your tokens.
Potential issues
If you use a site where you have to stake tokens, you will need to approve this. If the approval grants access to unlimited amounts of that token, it means it will have access to not only the tokens you are staking but also those also remaining in your wallet. For more well known and trusted services such as Uniswap or Pancakeswap, this is less of an issue but if you are using relatively new DeFi yield services, there is always the possibility of a smart contract having a malicious developer or vulnerability in the code which could allow a hacker to spend your tokens.
The solution to this is to revoke the spend permissions once you have finished using the service. This means the service can no longer spend any tokens in your wallet. They will still have access to your staked tokens (if using a DeFi service) but there is no way around this as the staked tokens do need to be managed by the service.
Revoke the spend allowance to secure your wallet
There are a number of services that offer the ability to remove the spend allowances on tokens. As the revocation will be interacting with your wallet, it is wise to process revocations from a trusted service. In our opinion, the established blockchain explorers of each network are some of the most trustworthy. Our instructions below are based on Ethereum but we are aware that gas fees are so high on Ethereum that you may not wish to revoke much. The good news is that the process is identical for each blockchain explorer that we have listed at the bottom of this page.
Etherscan
- Go to https://etherscan.io/ or equivalent blockchain scanner (list at the bottom of the page).
- In the top right of the page, click on More
- When the sub-menu opens, click on Token Approvals
- Enter your Ethereum wallet address
- Press the blue search button
- Click on Connect to Web3
A prompt will appear asking you to choose your wallet type. At Yield Reviews we like to use MetaMask as it appears to be the one which is compatible with most services but you can also use WalletConnect.
- Click on the wallet account that you wish to connect with (should be the same wallet address you entered earlier.
- Click on Next
There will be a second page in MetaMask which will confirm the permission that the site requires. It will only require the ability to read the address. Click on Connect.
Make sure that the Web3 connect button has changed to Connected
This will then show you the Assets and approved spenders of those assets including their allowance.
If you wish to revoke a transaction, click on the Revoke button
MetaMask will prompt you to accept the transaction – check the gas fee and if you are happy with the details and amount, approve the transaction to revoke the spend.
It is important to note that as the gas fees are high on Ethereum, if you trust the sites that you are connected with, you may choose not to revoke the spending allowance if you use the service often. Also, if you no longer own that particular token, it may not be worth spending the gas fee to revoke something which you no longer own anyway. Other blockchains (such as BSC) have lower gas fees so it means there is less financial impact of revoking permissions wherever possible.
Blockchain explorers offering revocation service
Having trouble with any of the above steps? Have a suggestion? Ask us a question here