DeFi runs on token approvals. Every swap on a decentralized exchange, every deposit into a lending protocol, and every NFT listing requires you to grant a smart contract permission to move your tokens. The problem is that these approvals rarely expire on their own, and most users sign unlimited approvals without realizing the exposure they carry.
When a protocol gets exploited, a frontend gets compromised, or a project you forgot about turns malicious, those dormant approvals become the exact pathway attackers use to drain wallets. In 2025 alone, approval-based phishing and contract exploits accounted for more than $1.1 billion in user losses according to on-chain security firms. The fix takes minutes and costs less than a typical swap. This guide walks through why approvals matter, how to audit them, and the exact steps to revoke them across any EVM chain.
Why Token Approvals Are a Security Blind Spot
On Ethereum and every EVM-compatible chain, smart contracts cannot move your tokens unless you explicitly allow it. That permission is called an approval, and it is recorded directly on-chain against your wallet address. When you use Uniswap, Aave, or any DeFi application for the first time with a given token, your wallet prompts you to sign an approval transaction before the actual action can happen.
Most interfaces default to requesting unlimited spending rights. The reason is convenience. Setting an approval once means you never have to sign again for that token on that contract, which saves gas and reduces friction. The tradeoff is that the smart contract can pull any amount of that token from your wallet at any point in the future, with no further consent from you.
This becomes dangerous in three specific situations. The first is when a protocol contract gets exploited, as happened with multiple lending markets and bridges over the past two years. The second is when a project abandons its frontend and a malicious actor takes over the domain. The third is when you interacted with a phishing contract disguised as a legitimate dapp. In all three cases, the approval you signed months or years earlier is what lets the attacker act.
How an Approval Becomes a Drained Wallet
The mechanics are straightforward. The ERC-20 token standard includes two functions relevant here: approve() and transferFrom(). When you sign an approval, you call approve() on the token contract and tell it that a specific address (the spender) is allowed to move up to a certain amount of your tokens.
Once that permission is set, the spender can call transferFrom() whenever they want, up to the limit you approved. If the limit was unlimited, the spender can drain the entire balance in a single transaction. NFT approvals work the same way through setApprovalForAll(), which grants permission over every token in a collection.
A typical attack unfolds in seconds. An attacker gains control of a contract or tricks a user into signing a malicious approval. The attacker then submits a batch of transferFrom() calls targeting every wallet with an open approval. Because the approvals are already on-chain, the victim does not need to sign anything new. The funds simply move.
Tools to Audit Your Active Approvals
Before you revoke anything, you need visibility. Several trusted tools read the approval data directly from the blockchain and display it in a readable format. The most widely used is Revoke.cash, which supports Ethereum, Arbitrum, Optimism, Base, Polygon, BNB Chain, Avalanche, and more than sixty other networks.
Other reliable options include Etherscanโs Token Approval Checker, which works for Ethereum mainnet and is maintained by the explorer team itself, and DeBank, which aggregates approvals alongside your portfolio view. Wallets like Rabby and Zerion now surface approval risk scores directly in their interfaces, flagging contracts with known exploits or suspicious patterns.
The table below compares the most trusted options so you can pick the one that fits your workflow.
| Tool | Chains Supported | Best For | Key Advantage |
|---|---|---|---|
| Revoke.cash | 60+ EVM chains | Multi-chain DeFi users with approvals across many networks | Widest coverage, batch revocation, risk flagging |
| Etherscan Approval Checker | Ethereum only | Users who stay on Ethereum mainnet | Maintained by the explorer, highest trust |
| DeBank | 30+ EVM chains | Portfolio holders who want approvals and balances in one view | Combines approval audit with full portfolio tracking |
| Rabby Wallet | 40+ EVM chains | Active DeFi users who want real-time signing warnings | Built-in risk scoring before you sign any approval |
| Zerion | 20+ EVM chains | Mobile-first users managing approvals on the go | Clean mobile interface with one-tap revocation |
When choosing a tool, stick to well-known open-source options and always verify the URL. Fake revocation sites are a common phishing vector. Typing the address directly into your browser is safer than clicking links, and bookmarking the real site after your first visit removes the guesswork.
What Is DeFi? Decentralized Finance Explained
Revoking Approvals Step by Step
The process is the same across every EVM chain. Connect your wallet to Revoke.cash or the equivalent interface of your choice. The tool scans your address and lists every active approval, including the token, the spender contract, and the amount approved. Unlimited approvals are usually flagged in a distinct color.
To revoke, click the revoke button next to the approval. Your wallet will prompt you to sign a new transaction that calls approve() with a value of zero, effectively cancelling the permission. You pay gas on this transaction just like any other on-chain action. On Ethereum mainnet, a single revocation typically costs between $1 and $5 depending on network congestion. On Arbitrum, Base, or Optimism, the cost is usually under ten cents.
If you have dozens of open approvals, revoke them in batches rather than one by one to save on fees. Prioritize any approval tied to a contract you no longer recognize, any project that has been hacked, and any unlimited approval granted to a protocol you have not used in more than six months. NFT collection approvals should get the same treatment, especially those granted to marketplaces you no longer use.
Reducing Approval Risk Going Forward
Revoking is reactive. The better habit is limiting exposure at the moment you grant the approval. When a dapp asks for permission, most modern wallets let you edit the approval amount before signing. Instead of leaving it at the default unlimited value, set it to the exact amount you intend to transact. For a $500 swap, approve $500 worth of the token. You will need to sign again for future swaps, but the protection is worth the friction.
Splitting funds across multiple wallets is another strong defense. Keep long-term holdings in a separate address that never touches DeFi protocols, and use a dedicated interaction wallet for swaps, airdrops, and experimental dapps. If the interaction wallet gets compromised through a bad approval, your core holdings remain untouched. A hardware wallet is the right home for the long-term address, because even signed approvals require physical confirmation on the device.
Set a recurring reminder to audit approvals every three months. The work takes about ten minutes and closes the most common attack surface in DeFi. Treat it the same way you treat rotating passwords or reviewing bank statements. It is unglamorous maintenance that prevents the worst outcome.
When Revoking Is Not Enough
Revoking approvals protects you from future draining of the tokens still in your wallet. It does not recover funds that have already been taken, and it does not neutralize a compromised private key or seed phrase. If an attacker has your seed phrase, they control the wallet entirely, and no amount of approval revocation can stop them from moving assets directly.
If you suspect your seed phrase has been exposed, the only solution is to create a new wallet on a clean device and move every remaining asset out of the old one as quickly as possible. Native tokens like ETH or SOL should be moved first, since they pay gas, followed by higher-value ERC-20 holdings. Signing a revocation on a compromised wallet is pointless because the attacker can approve new spenders faster than you can cancel them.
Approval hygiene sits alongside seed phrase security, not in place of it. Both matter. One protects you from protocols and contracts, the other from full wallet compromise. Getting both right is what separates users who survive DeFi for years from those who lose everything in a single bad signature.
The Bottom Line for DeFi Users
Token approvals are the invisible plumbing of DeFi. They are necessary for the ecosystem to function, and they are the most overlooked source of user loss. The defense is simple and well understood, yet the majority of wallets carry years of forgotten permissions that remain exploitable today.
A quarterly revocation check, edited approval amounts at the point of signing, and separate wallets for different risk profiles will neutralize the vast majority of approval-based attacks. None of these steps require technical expertise, and all of them are free aside from gas. The difference between a protected wallet and a vulnerable one is not knowledge. It is habit.
