Token Approvals

Teck Yuan Lee -

Note: Moonriver (MOVR) on Kusama is a companion network to Moonbeam and provides a permanently incentivized canary network. New code ships to Moonriver first, where it can be tested and verified under real economic conditions. Once proven, the same code ships to Moonbeam on Polkadot.

Polygon PoS (polygonscan.com) is an EVM-compatible environment optimized for high throughput and low transaction fees while Polygon zkEVM (zkevm.polygonscan.com) is an EVM-equivalent ZK rollup designed for security.

One of the modus operandi for phishing involves the hacker actually receiving a wallet address owner's approval to spend their tokens. Once approval is received, the drying of funds ensues.

If you are an avid user of decentralized exchanges (DEX) or are a degen, then clicking Confirm on a pop-up such as the above may well be a routine for you right now. Utilizing a DEX or partaking in a yield farming pool involves interacting with a smart contract that does most of the work behind-the-scenes for you.

But before a DEX or a yield farming pool is able to do anything, it first needs access to your funds. Hence, the above pop-up. After allowing the smart contract access to your funds, only then can it work its magic of moving your tokens around to execute a trade, stake tokens in a 1000% APY pool or exchange a cool shiny NFT for a cute wiggly one.

In an ideal world, there should be no repercussions from this simple act. But we know the world is far from ideal. When allowing these smart contracts access to your funds, by default, they are allowed to spend an unlimited amount of a token from your wallet address. There is then a possibility that they will in return be able to withdraw any amount of tokens from your wallet at any time they want without you knowing it.

That is exactly what some ill-intentioned projects have done when given the trust - with one case reporting a loss of $140,000 worth of a token due to this exploit.

This is where our tool comes in.

Token Approval Tool Overview

  1. Connect to Web3: Click on this to connect to your MetaMask, WalletConnect, or Coinbase Wallet. Do take note that only the address owner is allowed to revoke the connected smart contracts.
  2. Amount at Risk: This shows the total value in the address that is at risk due to the token approvals granted to smart contracts.
  3. Token Standards: Navigate between different token standards to view the token approvals granted to smart contracts for a particular token standard. The token standards include {{token}}, {{nft}}, and {{sft}}.
  4. Total Token Approvals Found: This shows the summary total of token approvals granted to smart contracts.
  5. Show All Approvals: Toggle off to view the token approvals granted for all tokens currently held at the address. Toggle on to view all previously granted token approvals, irrespective of whether the tokens are currently held at the address.
  6. Filter By: Use this to easily filter for all the token approvals granted for a particular asset.
  7. Txn Hash: This shows the transaction that has granted the token approval for the asset.
  8. Last Update (UTC): This shows the date and time the token approval was granted. Can be toggled with Age to show how long ago the token approval was granted.
  9. Assets: This shows the asset that has token approval granted by the address.
  10. Approved Spender: This shows the smart contract that was granted the token approval.
  11. Allowance: This shows the amount of tokens the Approved Spender is allowed to spend on behalf of the address.
  12. Revoke: Click on this button to revoke the approval of the intended smart contract. Every connected smart contract will have their own 'Revoke' button. Thus, only revoke the approval of the smart contract(s) that you wish to disconnect.

With our {{link}} feature, you have a clear view of all the smart contracts and corresponding tokens you have allowed to spend on your behalf. Should you notice any suspicious contracts allowed to spend staggering amounts of tokens or want to 'spring clean' your approvals, you can easily revoke their approval or decrease the approved amounts.

Using this feature is devoid of hassle and only requires you to connect to your Web3 wallet to revoke or edit approvals. If you'd just like a quick glance at an address's approvals, just insert the address or domain name into the search bar and press enter!

How to use the Token Approval tool

  1. Open the {{link}} page.
  2. Enter your address into the search bar and click the search button.
  3. If your address is connected to any smart contract that allows them to spend on your behalf, the smart contracts will be listed according to the token standards of the token allowance ({{token}}, {{nft}} or {{sft}}).
  4. Click on the 'Connect to Web3' button to connect your wallet. Do take note that only the address owner is allowed to revoke the connected smart contracts.
  5. Once connected, click the 'Revoke' button to revoke the approval of the intended smart contract. Every connected smart contract will have their own 'Revoke' button. Thus, only revoke the approval of the smart contract(s) that you wish to disconnect.

With this feature, we hope the community can keep better track of token approvals and collectively reduce our funds lost to phishing!