token approvals: how to stay safe

Often, token approval requests will ask for access to a number of tokens so astronomically high that it’s essentially unlimited — uniswap requests access to the 1.1559 amount of the token. Many legitimate dapps do this to minimize the need–and associated transaction costs–for you to re-approve access to the token every time you want to use it on a dApp. Think of DEXs, for example: if you’re conducting a lot of token swaps, you don’t want the additional clicks and gas fees every time.

 

However, requesting essentially unlimited amounts of tokens is also how many malicious, bad actor sites steal from unsuspecting web3 users. This can be particularly demoralizing as a user if you’ve adhered to all our recommended security tips, including keeping your Secret Recovery Phrase offline only and never sharing it: despite all your efforts, you’ve been exploited anyway.

 

To make sure you’re not granting bad actors access to all of your tokens, we recommend you follow these key principles (which we’ve borrowed from our blog post):

 

First, always check what a dApp is actually requesting before clicking ‘Approve’.

 

DYOR. The best time to get in the habit of performing due diligence on any dApp before interacting with it was six months ago; the second best time is today. Look out for misspellings, low-quality images/logos, and other giveaways.

 

Remember that if something seems too good to be true, it probably is. If you’re being offered 498,563% APY, you’re probably on thin ice.

 

setApprovalForAll

 

setApprovalForAll may look mildly bewildering, but it’s worth knowing about if you interact with dapps.

 

This is a function in the ERC-721 and ERC-1155 standards (which relate specifically to NFTs) that enables you to grant or revoke other addresses the ability to manage all of your NFTs associated with a specific smart contract.

 

One of the most common applications for this function is NFT marketplaces. When you sell an NFT on a platform such as OpenSea, you need to allow the dApp to access and transfer that NFT to the buyer when it sells. Such platforms often request access to all the NFTs of that type (i.e., originating from the same smart contract). For you, the user, this is generally inconsequential — we trust large platforms such as OpenSea not to overstep the boundary and remove NFTs that they shouldn’t.

 

And, as we said, generally, it ends there. However—like many areas of web3—this is a potential opening for scammers, either by exploiting an existing dApp to which many wallets have already granted access to all tokens of a specific type, or by luring you into granting approval to a malicious dApp.

 

Given that this function allows access to all tokens associated with the contract, two things should cross your mind when you’re presented with it:

 

• Does the dApp I’m interacting with actually need access to all of my tokens?
• Is this a legitimate, non-malicious site that isn’t trying to scam me?

 

One common non-legitimate application of this function is when malicious dApps ask you to set “Approval For All” to claim an NFT drop: you shouldn’t have to sign this kind of approval to receive anything. Don’t be fooled!

 

We can’t protect you from the risks inherent in using web3: as the owner of a self-custodial wallet, that responsibility lies with you. However, with changes such as this, we’re working to equip you with the information you need to stay vigilant and aware of exactly what you’re doing.