Bankless Academy 👩🚀 🚀Creating a Crypto Wallet
This is a summary of our Wallet Basics lesson, along with a walkthrough for the quest. Check out the full lesson to level up your knowledge and claim your badge!Key TakeawaysYou’ll need a crypto wallet to access the world of blockchains!A wallet is like a blockchain account.Wallets are used to store cryptocurrency, log into blockchain apps, and more.These wallets work on both computers and phones.Creating a wallet is easy and takes around 5 minutes. We’ll show you how, in our video below!What...
Bankless Academy 👩🚀 🚀Funding a Wallet on Layer 2
Key TakeawaysThere are a number of ways to fund your wallet on an Ethereum scaling solution like Optimism, Arbitrum, or Polygon.Centralized exchanges often provide a direct Layer 2 onramp.Third-party payment apps enable users to fund a wallet on Layer 2 from a bank account or a debit or credit card.Protocol bridges let users send funds from Ethereum Mainnet to Layer 2.If you’re new to crypto, all the talk about the importance of Layer 2 (or L2) must seem a bit odd, confusing really. In contra...
Bankless Academy 👩🚀 🚀Registering Your Web3 Username
Key TakeawaysUsing the Ethereum Name Service (ENS), you can create a single username that represents you across multiple blockchains.ENS names simplify sending and receiving cryptocurrency by replacing your lengthy wallet address with a memorable label like web3explorer.ethYour ENS names become associated with your online presence: your cryptocurrency portfolio, your blockchain interactions, social media pages, avatars, websites, and emails, forming a single onchain identity.Registering an EN...
https://banklessacademy.com/
Bankless Academy 👩🚀 🚀Creating a Crypto Wallet
This is a summary of our Wallet Basics lesson, along with a walkthrough for the quest. Check out the full lesson to level up your knowledge and claim your badge!Key TakeawaysYou’ll need a crypto wallet to access the world of blockchains!A wallet is like a blockchain account.Wallets are used to store cryptocurrency, log into blockchain apps, and more.These wallets work on both computers and phones.Creating a wallet is easy and takes around 5 minutes. We’ll show you how, in our video below!What...
Bankless Academy 👩🚀 🚀Funding a Wallet on Layer 2
Key TakeawaysThere are a number of ways to fund your wallet on an Ethereum scaling solution like Optimism, Arbitrum, or Polygon.Centralized exchanges often provide a direct Layer 2 onramp.Third-party payment apps enable users to fund a wallet on Layer 2 from a bank account or a debit or credit card.Protocol bridges let users send funds from Ethereum Mainnet to Layer 2.If you’re new to crypto, all the talk about the importance of Layer 2 (or L2) must seem a bit odd, confusing really. In contra...
Bankless Academy 👩🚀 🚀Registering Your Web3 Username
Key TakeawaysUsing the Ethereum Name Service (ENS), you can create a single username that represents you across multiple blockchains.ENS names simplify sending and receiving cryptocurrency by replacing your lengthy wallet address with a memorable label like web3explorer.ethYour ENS names become associated with your online presence: your cryptocurrency portfolio, your blockchain interactions, social media pages, avatars, websites, and emails, forming a single onchain identity.Registering an EN...
https://banklessacademy.com/
Share Dialog
Share Dialog
Subscribe to Bankless Academy 👩🚀 🚀
Subscribe to Bankless Academy 👩🚀 🚀
Token allowances refer to permissions granted to
smart contractsto spend tokens from a wallet without further approval.They can be exploited by malicious actors if the user is not aware permissions are in place.
Tools like Revoke.cash allow users to easily inspect and revoke token allowances.
DeFi grants users control over their assets, including their private keys, offering unprecedented sovereignty and authority over their funds. However, with great power comes greater responsibility, requiring users to take full charge of the safety and management of their assets.
There are four common categories of scams that DeFi users should be aware of:
Seed Phrase Compromise: Attackers attempt to deceive users into revealing their seed phrases, which would give them unauthorized access to funds. With your seed phrase, an attacker can drain all your funds and continue doing so if you deposit additional funds into the wallet. Unfortunately, there is no way to recover from this situation, and the only solution is to create a completely new wallet with a new seed phrase.
Direct ETH Transfers: Scammers can conceal ETH transfers by either requesting an “eth_sign” signature or disguising it as a function call, such as “Security Update.” Falling for this scam means you won’t be able to recover your funds, but you can still safely use your wallet for other transactions.
NFT Marketplace Listings: Be cautious of fake listings and malicious contracts that exploit the allowances you grant to marketplaces like OpenSea. Scammers may trick you into signing an offchain message that lists your approved NFTs for sale, with no actual token transaction taking place.
Token Allowances: Attackers may manipulate permissions to gain access to more funds than initially approved. “Approvals” are on-chain transactions that grant access to your tokens or NFTs. “Permits” offer the same access but only require an off-chain signature.
As smart contracts gain popularity, token allowances become necessary to enable trusted contracts to execute transactions without exposing private keys. Token allowances allow dApps to automatically move tokens in your wallet on your behalf. While this convenience boosts efficiency, it also exposes users to potential attack vectors through scams and unauthorized access.
In this article, we’ll discuss ‘Token Allowances’ and introduce a community tool built to help manage your permissions.
Token allowances are permissions given in advance to smart contracts to spend tokens from a wallet. They serve a crucial role in facilitating transactions without requiring explicit permission every time for direct asset transfers from the wallet. When misused, however, token allowances can become an attack vector for the unsuspecting. To address this risk, it’s important that DeFi users exercise caution, educate themselves on the security landscape, and understand how token allowances actually work.
There are two steps involved when granting permissions to a third-party contract:
Wallet permission: When connecting your wallet to a dApp, you grant its smart contract permission to access your wallet’s public key, view your balances, and monitor your wallet activity.
Token approval: Once you’ve granted this access to your wallet, you then approve your tokens to be moved on your behalf in order to complete transactions.
By proactively managing token allowances, users can ensure that no contract withdraws more than the initially specified amount from their wallet. Luckily, there are community tools built to help give DeFi users confidence and peace of mind.
Revoke.cash empowers users to easily manage their token allowances through a simple website that helps inspect and monitor allowances given to different dApps. Let’s walkthrough how you can use this powerful community tool to help you safeguard your assets and take back control of your wallet.
1. Connect your wallet:
To begin the process of revoking your token allowances, head to Revoke.cash and click on “Connect Wallet” located in the top-right corner. Alternatively, you can manually enter your wallet public address in the search bar. Once the loading is complete, you’ll see a list of all your token approvals on that network.
2. Inspect your allowances:
Once you have connected your wallet, you can inspect your existing approvals. You can sort, filter, or search for specific approvals based on the authorized spender address. Sorting by “Newest to Oldest” is particularly useful if you suspect a malicious approval recently. Use the network selection, sorting, and filtering options provided to gain an overview of token allowances you have granted across various networks.
3. Revoke undesired allowances:
Once you identify the approvals you want to revoke, simply click the “Revoke” button next to each of them. Optionally, you can update the approval to a different amount by clicking the pencil icon next to the approved amount if you still require the approval in the future but wish to reduce your risk.
It might be in your best interest to revoke or adjust a token allowance if:
A recently deployed smart contract is exploited and creates a vulnerability in a decentralized exchange you regularly use.
Earlier this year, popular DEX SushiSwap suffered a similar exploit, when ~$3.5M was stolen from users. Affected users remained at risk if they hadn’t revoked their token allowance.
A malicious governance proposal updates several contracts with the intent of draining users’ funds.
More than $2.5M in assets were compromised when Atlantis Loans, a DeFi protocol on a BNB chain, executed a governance proposal that targeted several contracts. Users who managed their approval limit mitigated the risk of their wallets being fully drained by the malicious proposal.
It’s time to strengthen our wallet defenses! We hope you’ve enjoyed this entry in the Explorer’s Handbook: ‘Managing Token Allowances’.
Don’t forget to collect this entry if you want to own a copy for easy reference on your travels, or to support future content at Bankless Academy. Safe travels, Explorer!
Use Revoke.cash periodically, especially during periods when you are not actively using a dApp, particularly for NFT marketplaces. Limiting approvals lessens the risk of funds loss due to hacks, exploits, or phishing scams. By sorting your approvals to show the most recent, you can identify the suspicious approvals and revoke them promptly, mitigating further damage.
Disconnecting your wallet from a dApp does not protect you from exploits, approvals or otherwise. The token approvals you previously granted remain active even after disconnecting, because they are stored onchain.
A proactive approach to token allowances includes:
granting allowances only to trusted dApps.
periodically reviewing token allowances.
removing unnecessary or suspicious allowances.
staying informed about dApps’ security updates.
Consider using third-party tools like the Revoke.cash browser extension — it acts as a proactive measure against potential threats. The extension warns you if you are about to sign something potentially harmful, protecting you from phishing scams or other malicious activities.
Unfortunately, Revoke.cash cannot recover stolen funds. It serves as a preventive tool to reduce the likelihood of becoming a victim of approval exploits. However, revoking the approvals used to steal your funds can prevent further theft.
Your wallet may contain a “sweeper bot,” a script that monitors and acts on transactions from a compromised wallet. When it detects such transactions, the bot initiates a new transaction before the original one completes, allowing it to rapidly transfer any new deposits out. If your wallet has such a “sweeper bot” stealing incoming ETH, it means your seed phrase is compromised. Revoking approvals won’t improve your wallet’s security. The best course of action is to abandon the compromised wallet and create a new one.
Author
Marcus publishes the ENS DAO Newsletter. He researches how surplus revenue generated from protocol fees can subsidize application layer development and other open source infrastructure.
Editors
Tetranome is the Project Champion at Bankless Academy, focusing on user experience, interface, design, and content.
Trewkat is a writer and editor at BanklessDAO. She’s interested in learning about crypto and NFTs, with a particular focus on how best to communicate this knowledge to others.
Patron
This unsponsored article is part of your free Bankless Academy education. Collect the article to support future content!
This article does not contain financial or tax advice. Bankless Academy is strictly educational and is not investment advice or a solicitation to buy or sell any assets or make any financial decisions. Talk to your accountant. Do your own research.
Explore more lessons on Bankless Academy to level up your web3 knowledge.
Token allowances refer to permissions granted to
smart contractsto spend tokens from a wallet without further approval.They can be exploited by malicious actors if the user is not aware permissions are in place.
Tools like Revoke.cash allow users to easily inspect and revoke token allowances.
DeFi grants users control over their assets, including their private keys, offering unprecedented sovereignty and authority over their funds. However, with great power comes greater responsibility, requiring users to take full charge of the safety and management of their assets.
There are four common categories of scams that DeFi users should be aware of:
Seed Phrase Compromise: Attackers attempt to deceive users into revealing their seed phrases, which would give them unauthorized access to funds. With your seed phrase, an attacker can drain all your funds and continue doing so if you deposit additional funds into the wallet. Unfortunately, there is no way to recover from this situation, and the only solution is to create a completely new wallet with a new seed phrase.
Direct ETH Transfers: Scammers can conceal ETH transfers by either requesting an “eth_sign” signature or disguising it as a function call, such as “Security Update.” Falling for this scam means you won’t be able to recover your funds, but you can still safely use your wallet for other transactions.
NFT Marketplace Listings: Be cautious of fake listings and malicious contracts that exploit the allowances you grant to marketplaces like OpenSea. Scammers may trick you into signing an offchain message that lists your approved NFTs for sale, with no actual token transaction taking place.
Token Allowances: Attackers may manipulate permissions to gain access to more funds than initially approved. “Approvals” are on-chain transactions that grant access to your tokens or NFTs. “Permits” offer the same access but only require an off-chain signature.
As smart contracts gain popularity, token allowances become necessary to enable trusted contracts to execute transactions without exposing private keys. Token allowances allow dApps to automatically move tokens in your wallet on your behalf. While this convenience boosts efficiency, it also exposes users to potential attack vectors through scams and unauthorized access.
In this article, we’ll discuss ‘Token Allowances’ and introduce a community tool built to help manage your permissions.
Token allowances are permissions given in advance to smart contracts to spend tokens from a wallet. They serve a crucial role in facilitating transactions without requiring explicit permission every time for direct asset transfers from the wallet. When misused, however, token allowances can become an attack vector for the unsuspecting. To address this risk, it’s important that DeFi users exercise caution, educate themselves on the security landscape, and understand how token allowances actually work.
There are two steps involved when granting permissions to a third-party contract:
Wallet permission: When connecting your wallet to a dApp, you grant its smart contract permission to access your wallet’s public key, view your balances, and monitor your wallet activity.
Token approval: Once you’ve granted this access to your wallet, you then approve your tokens to be moved on your behalf in order to complete transactions.
By proactively managing token allowances, users can ensure that no contract withdraws more than the initially specified amount from their wallet. Luckily, there are community tools built to help give DeFi users confidence and peace of mind.
Revoke.cash empowers users to easily manage their token allowances through a simple website that helps inspect and monitor allowances given to different dApps. Let’s walkthrough how you can use this powerful community tool to help you safeguard your assets and take back control of your wallet.
1. Connect your wallet:
To begin the process of revoking your token allowances, head to Revoke.cash and click on “Connect Wallet” located in the top-right corner. Alternatively, you can manually enter your wallet public address in the search bar. Once the loading is complete, you’ll see a list of all your token approvals on that network.
2. Inspect your allowances:
Once you have connected your wallet, you can inspect your existing approvals. You can sort, filter, or search for specific approvals based on the authorized spender address. Sorting by “Newest to Oldest” is particularly useful if you suspect a malicious approval recently. Use the network selection, sorting, and filtering options provided to gain an overview of token allowances you have granted across various networks.
3. Revoke undesired allowances:
Once you identify the approvals you want to revoke, simply click the “Revoke” button next to each of them. Optionally, you can update the approval to a different amount by clicking the pencil icon next to the approved amount if you still require the approval in the future but wish to reduce your risk.
It might be in your best interest to revoke or adjust a token allowance if:
A recently deployed smart contract is exploited and creates a vulnerability in a decentralized exchange you regularly use.
Earlier this year, popular DEX SushiSwap suffered a similar exploit, when ~$3.5M was stolen from users. Affected users remained at risk if they hadn’t revoked their token allowance.
A malicious governance proposal updates several contracts with the intent of draining users’ funds.
More than $2.5M in assets were compromised when Atlantis Loans, a DeFi protocol on a BNB chain, executed a governance proposal that targeted several contracts. Users who managed their approval limit mitigated the risk of their wallets being fully drained by the malicious proposal.
It’s time to strengthen our wallet defenses! We hope you’ve enjoyed this entry in the Explorer’s Handbook: ‘Managing Token Allowances’.
Don’t forget to collect this entry if you want to own a copy for easy reference on your travels, or to support future content at Bankless Academy. Safe travels, Explorer!
Use Revoke.cash periodically, especially during periods when you are not actively using a dApp, particularly for NFT marketplaces. Limiting approvals lessens the risk of funds loss due to hacks, exploits, or phishing scams. By sorting your approvals to show the most recent, you can identify the suspicious approvals and revoke them promptly, mitigating further damage.
Disconnecting your wallet from a dApp does not protect you from exploits, approvals or otherwise. The token approvals you previously granted remain active even after disconnecting, because they are stored onchain.
A proactive approach to token allowances includes:
granting allowances only to trusted dApps.
periodically reviewing token allowances.
removing unnecessary or suspicious allowances.
staying informed about dApps’ security updates.
Consider using third-party tools like the Revoke.cash browser extension — it acts as a proactive measure against potential threats. The extension warns you if you are about to sign something potentially harmful, protecting you from phishing scams or other malicious activities.
Unfortunately, Revoke.cash cannot recover stolen funds. It serves as a preventive tool to reduce the likelihood of becoming a victim of approval exploits. However, revoking the approvals used to steal your funds can prevent further theft.
Your wallet may contain a “sweeper bot,” a script that monitors and acts on transactions from a compromised wallet. When it detects such transactions, the bot initiates a new transaction before the original one completes, allowing it to rapidly transfer any new deposits out. If your wallet has such a “sweeper bot” stealing incoming ETH, it means your seed phrase is compromised. Revoking approvals won’t improve your wallet’s security. The best course of action is to abandon the compromised wallet and create a new one.
Author
Marcus publishes the ENS DAO Newsletter. He researches how surplus revenue generated from protocol fees can subsidize application layer development and other open source infrastructure.
Editors
Tetranome is the Project Champion at Bankless Academy, focusing on user experience, interface, design, and content.
Trewkat is a writer and editor at BanklessDAO. She’s interested in learning about crypto and NFTs, with a particular focus on how best to communicate this knowledge to others.
Patron
This unsponsored article is part of your free Bankless Academy education. Collect the article to support future content!
This article does not contain financial or tax advice. Bankless Academy is strictly educational and is not investment advice or a solicitation to buy or sell any assets or make any financial decisions. Talk to your accountant. Do your own research.
Explore more lessons on Bankless Academy to level up your web3 knowledge.
>300 subscribers
>300 subscribers
No activity yet