How to Revoke Token Allowances
What is A Token Allowance
In Ethereum, the most popular token standard is known as ERC-20. It is the technical standard used for all smart contracts on the Ethereum blockchain for fungible token implementations. As a user, we commonly trade, transfer, or spend these ERC-20 tokens such as DAI or USDC or WBTC on decentralized exchanges (DEXs) like Uniswap or on DEX aggregators like Zapper Exchange.
The ERC-20 standard allows a user's wallet address to give an allowance to another address (ie a smart contract in a DeFi application) to be able to retrieve tokens from it. All DeFi applications on Ethereum and other EVM-compatible chains like Polygon, including the tools you interact with on Zapper, are designed with this ERC-20 standard in mind.
You've probably experienced this requirement to give an "approval" or "allowance" when you traded a token like DAI or deposited DAI into a Zapper Pool.
- The first step is always to Approve spending or depositing a certain amount of a specific token, like DAI.
- The second step is where you actually make a trade or maybe deposit tokens into a liquidity pool or farm.
The Pros and Cons of Infinite Approval
In many DeFi applications, there is a default setting to ask users for "infinite approval" before they can deposit or spend tokens. This setting can be very convenient and useful for saving time and fees on future approval transactions. If one gives infinite approval, they can avoid 50% of their future transactions when using this token.
For example, if I frequently trade with DAI for other tokens on Zapper Exchange, I might opt for the "infinite approval" for DAI so I can save time and money on fees while skipping the approval transaction. You can see below the "Permission" I'm editing in my MetaMask after being prompted to give approval to spend DAI on Zapper Exchange.
However, the downside of infinite token allowances is it presents an opportunity to exploit users. If a user gives infinite approval to a smart contract address in a DeFi application and if that smart contract gets exploited or some bad actor somehow gains control of the address, they can sweep the specific tokens from any wallet that gave permission to spend their tokens. For example, if I gave infinite approval to spend my USDC and DAI to a new DeFi application, the team behind this application could be bad actors looking to exploit unknowing users who gave infinite permission. Once I give the infinite approval, they deduct those tokens from my wallet without me knowing.
How to Revoke Token Allowances
In light of the risks using unlimited / infinite token allowances, it is a best practice among DeFi and Ethereum users to review token allowances a few times a year and edit/revoke any infinite allowances back to 0. It stems from an ethos among the crypto community "Don't trust. Verify."
Zapper just released a new feature in the Settings menu to revoke allowances. Here's how to approach this best practice of revoking unlimited allowances right on your Zapper dashboard:
- Click on Settings in the left menu -> Manage under Allowances or go directly here
- Look for any highlighted UNLIMITED allowances and then click the green Revoke button one at a time
- Each Revoke transaction will set the spending limit for that smart contract address back to 0, protecting your wallet and tokens
- One might also choose to Revoke higher allowances even if it's not "unlimited"
- Be sure to repeat this process for each of your wallets