What Are Token Approvals? | Revoke.cash (2024)

Table of Contents
How Do Token Approvals Work? Fungible Token Approvals NFT Approvals Semi-Fungible Token Approvals Risks of Token Approvals Smart Contract Exploits Scams and Phishing Attacks FAQs

Token approvals are used to give permission to a smart contract to spend your tokens on your behalf. This is a common pattern used by decentralized exchanges, lending protocols, and other decentralized applications. For example, if you want to trade your tokens on a decentralized exchange, you will need to give the exchange permission to Swap those tokens on your behalf.

Token approvals are also used with NFTs. For example, if you want to sell your NFT on a marketplace, you will need to give the marketplace permission to transfer your NFT on your behalf. Or if you want to use your NFT as collateral for a loan, you will need to give the lending protocol permission to transfer your NFT on your behalf.

How Do Token Approvals Work?

In most smart contracts of standard fungible tokens and NFTs, there is a mapping that keeps track of all the approvals that a user has granted, who they have granted it to, and how much / which assets they have granted the approval for. Whenever you grant or revoke one of these approvals, this mapping is updated.

When a contract tries to spend your tokens on your behalf, the token's smart contract then checks this mapping to see if the spender has permission to spend the tokens. If it does, the tokens are spent. If it does not, the transaction fails.

Fungible Token Approvals

For fungible tokens, smart contracts contain an approve() function to grant approval to another address to spend your tokens on your behalf. This function takes two parameters: the address of the spender and the amount of tokens. Revoking an approval is done by calling approve() again with the same parameters, but with the amount set to 0.

See Also
Best Web3 Tokens List for 2024Learn about Token Warrants and SAFE Agreements in Web3 Fundraising | LegalNow AIThe Meaning of Tokens and the Purpose of the MocaverseWeb3 Coins in Crypto - Top 50 List | Coinranking

For example, if you want to grant approval to a decentralized exchange to spend 1000 USDC on your behalf, you would call approve() like this:

What Are Token Approvals? | Revoke.cash (1)

NFT Approvals

For NFTs, there are two different types of approvals: limited, and unlimited. Limited approvals are used to give permission to a smart contract to transfer a specific NFT (with a specific ID). Unlimited approvals are used to give permission to a smart contract to transfer any NFT within a collection. Limited approvals can only be granted to one address at a time, and because of that, most NFT marketplaces use unlimited approvals.

Limited NFT Approvals

For limited approvals, NFT contracts contain an approve() function to grant approval to another address to transfer a specific NFT on your behalf. This function takes two parameters: the address of the spender and the ID of the NFT. Revoking this approval is done by calling approve() again with the same parameters, but with the spender set to 0x000.... This kind of approval is also automatically revoked on transfer.

For example, if you want to grant approval to OpenSea to transfer your Pudgy Penguin with ID 4420 on your behalf, you would call approve() like this:

See Also
Token Warrants - How can you use them for crypto fundraising? | Eqvista

What Are Token Approvals? | Revoke.cash (2)

Unlimited NFT Approvals

For unlimited approvals, NFT contracts contain an setApprovalForAll() function to grant approval to another address to transfer any NFT within a collection on your behalf. This function takes two parameters: the address of the spender and a true/false value. Approving is done by calling setApprovalForAll() with a true parameter, while revoking is done using a false parameter.

For example, if you want to grant approval to OpenSea to transfer any NFT within your collection on your behalf, you would call setApprovalForAll() like this:

What Are Token Approvals? | Revoke.cash (3)

Semi-Fungible Token Approvals

Semi-fungible tokens are a special type of NFT that can be used to represent multiple copies of the same asset. As you can imagine, these tokens have a lot in common with NFTs, so their approval system also looks a lot alike. The biggest difference is that semi-fungible tokens have a setApprovalForAll() function, but no approve() function.

Risks of Token Approvals

Token approvals are a core part of the smart contract ecosystem. Without them, a lot of DeFi applications would not be possible. But there are also risks to token approvals. If you give a smart contract permission to spend your tokens, it can spend them at any time. So if the smart contract is hacked or malicious, your tokens can be stolen.

Smart Contract Exploits

One of the risks of token approvals is that the smart contract you are granting approval to can be hacked. Even established projects can become the victim of a hack, as we saw with the SushiSwap Exploit in April 2023. In these cases, hackers may be able to steal tokens from your wallet if you've given any approvals to the hacked smart contract.

To help combat this, we created our exploit checker, which contains a list of known smart contract exploits. You can use this tool to check if you have any active approvals to exploited smart contracts.

Scams and Phishing Attacks

Besides legitimate projects getting hacked, there are also a lot of scams and phishing attacks in the crypto space. These scams often use approvals to steal your money. Some common phishing scams that use approvals are:

  1. Direct Approval to a Scammer: A scammer trick you into approving a smart contract that they control, allowing them to take the money directly from your wallet.
  2. NFT Marketplace Listings: A scammer will trick you into signing a signature that lists your assets for sale on an NFT marketplace for 0 ETH, allowing them to "buy" your NFTs for 0 ETH.

Extensions such as the Revoke Extension or Pocket Universe can help protect you from these types of scams as they provide warnings when you are about to approve a smart contract. Keeping your approvals to a minimum and regularly revoking approvals can also help protect you from these types of scams, since it limits the amount of damage a scammer can do – especially for marketplace listings.

What Are Token Approvals? | Revoke.cash (2024)

FAQs

What Are Token Approvals? | Revoke.cash? ›

Token approvals are permissions granted to dApps by signing a message, which can be used by malicious actors to potentially steal your NFTs or cryptocurrency. It is important to periodically review and revoke any suspicious token approvals to ensure the security of your assets.

Read On
What is token approval? ›

Token approvals are used to give permission to a smart contract to spend your tokens on your behalf. This is a common pattern used by decentralized exchanges, lending protocols, and other decentralized applications.

Discover More Details
Should you revoke all token approvals? ›

We recommend regularly checking and revoking your existing token approvals, which will prompt an additional confirmation to complete a transaction. Disconnect from a dapp if you don't plan on using the dapp soon, no longer trust it, or are connected unintentionally.

Continue Reading
What are the risks of token approval? ›

Understanding Infinite Token Approvals

This feature streamlines frequent interactions with decentralized applications (dApps), but can leave your assets vulnerable if the approved contract is compromised. Since 2020, over $405 million has been stolen through approval exploits (source: revoke. cash).

See Details
How to remove token approval? ›

How can I manage and revoke token approvals?
  1. Press Connect to Web3 to connect your wallet. ...
  2. Navigate through the ERC-20, ERC-721, or ERC-1155 tabs until you see the token approval you would like to revoke.
  3. Press Revoke to revoke the token approval.

Find Out More
What is my verification token? ›

A verification token is something that proves that a particular Google user owns a particular Search Console property. The token can be a unique web page or <meta> tag on the homepage, associated with that person, or any of several other mechanisms.

Tell Me More
What is my authorization token? ›

An authentication token allows internet users to access applications, services, websites, and application programming interfaces (APIs) without having to enter their login credentials each time they visit.

Show Me More
What happens when you revoke a token? ›

The invalidation takes place immediately, and the token cannot be used again after the revocation. Each revocation request invalidates all the tokens that have been issued for the same authorization grant.

Explore More
How long do authorization tokens last? ›

By default, access tokens are valid for 60 days and programmatic refresh tokens are valid for a year. The member must reauthorize your application when refresh tokens expire.

Continue Reading
Can a smart contract drain your wallet? ›

Today's drainers can automate most of the work of emptying victims' crypto wallets. First, they can help to find out the approximate value of crypto assets in a wallet and identify the most valuable ones. Second, they can create transactions and smart contracts to siphon off assets quickly and efficiently.

Show Me More

How does token authorization work? ›

Tokens are stateless: Authentication tokens are created by an authentication service and contain information that enables a user to verify their identity without entering login credentials. Tokens expire: When a user finishes their browsing session and logs out of the service, the token they were granted is destroyed.

Read The Full Story
How do you check if a token is safe? ›

This article introduces eight checks to help traders avoid effective scams.
  1. Start with the Basics. ...
  2. Verify the code on Etherscan. ...
  3. Check out Etherscan reviews. ...
  4. Check DappRadar blacklist. ...
  5. Check the token details in the token index. ...
  6. Check how many exchanges have listed the token. ...
  7. Check the liquidity in the token balance pool.
May 18, 2024

See Details
What is a token problem? ›

This error means that the app has experienced an authentication problem and can't verify your account information. If it occurs, you'll be automatically signed out of your account. You need to sign in to your account to continue working on your projects.

Get More Info Here
What happens when you approve a token? ›

​ In short: permission for a dapp to access and move a specific type of token from your wallet. These prompts will often appear in MetaMask if you're a frequent user of decentralized exchanges (DEXs) and DeFi in general.

Continue Reading
How do I turn off token authentication? ›

Disable an API token authentication certificate

On the Admin details page, in the Authentication certificates section, in the Filter certificates by dropdown, select Valid. Locate the certificate and select ellipsis > Disable.

View More
How do I verify my authorization token? ›

You can validate your tokens locally by parsing the token, verifying the token signature, and validating the claims that are stored in the token. Parse the tokens. The JSON Web Token (JWT) is a standard way of securely passing information. It consists of three main parts: Header, Payload, and Signature.

View Details
What does token request mean? ›

Request Token means the Supported Token that you are requesting to receive in exchange for an Offer Token in relation to a Token Exchange; Sample 1Sample 2Sample 3.

See More
What does token mean in banking? ›

What is a bank token? A bank token can be an easy-to-use device such as a hardware token, like a key fob, USB key, or a smart card. It can also be a soft token, such as a standalone authentication app from an app store, that is installed on a mobile device or integrated into a mobile banking application.

Learn More
What is the meaning of token validation? ›

Token validation is an important part of modern app development. By validating tokens, you can protect your app or APIs from unauthorized users. IBM Cloud® App ID uses access and identity tokens to ensure that a user or app is authenticated before they are granted access.

Discover More Details
Top Articles
How Hackers Bypass Multifactor Authentication | HackerNoon
What are containers? | Google Cloud
Dragon Age Inquisition War Table Operations and Missions Guide
Splunk Stats Count By Hour
Algebra Calculator Mathway
Craigslist Mexico Cancun
Bed Bath And Body Works Hiring
Over70Dating Login
De Leerling Watch Online
Rapv Springfield Ma
Hell's Kitchen Valley Center Photos Menu
Unity - Manual: Scene view navigation
Foxy Brown 2025
Yard Goats Score
Www.publicsurplus.com Motor Pool
Diakimeko Leaks
Rs3 Eldritch Crossbow
Ac-15 Gungeon
A Cup of Cozy – Podcast
Asteroid City Showtimes Near Violet Crown Charlottesville
Inkwell, pen rests and nib boxes made of pewter, glass and porcelain.
Vht Shortener
Where to eat: the 50 best restaurants in Freiburg im Breisgau
Select The Best Reagents For The Reaction Below.
Best Restaurants Ventnor
Jt Closeout World Rushville Indiana
Siskiyou Co Craigslist
Japanese Pokémon Cards vs English Pokémon Cards
Wow Quest Encroaching Heat
Goodwill Thrift Store & Donation Center Marietta Photos
Merge Dragons Totem Grid
Mta Bus Forums
The disadvantages of patient portals
The Thing About ‘Dateline’
Spectrum Outage in Genoa City, Wisconsin
888-333-4026
Google Flights Orlando
Tryst Houston Tx
R/Moissanite
Clima De 10 Días Para 60120
Cnp Tx Venmo
Grizzly Expiration Date Chart 2023
Sound Of Freedom Showtimes Near Amc Mountainside 10
4k Movie, Streaming, Blu-Ray Disc, and Home Theater Product Reviews & News
Autozone Battery Hold Down
The Cutest Photos of Enrique Iglesias and Anna Kournikova with Their Three Kids
Market Place Tulsa Ok
Erica Mena Net Worth Forbes
Is Chanel West Coast Pregnant Due Date
Joe Bartosik Ms
Latest Posts
Exodus vs Edge: Price, Security & Features (2024)
3 Cryptocurrency Investment Strategies for the Long Term | The Motley Fool
Article information

Author: Geoffrey Lueilwitz

Last Updated:

Views: 5713

Rating: 5 / 5 (60 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Geoffrey Lueilwitz

Birthday: 1997-03-23

Address: 74183 Thomas Course, Port Micheal, OK 55446-1529

Phone: +13408645881558

Job: Global Representative

Hobby: Sailing, Vehicle restoration, Rowing, Ghost hunting, Scrapbooking, Rugby, Board sports

Introduction: My name is Geoffrey Lueilwitz, I am a zealous, encouraging, sparkling, enchanting, graceful, faithful, nice person who loves writing and wants to share my knowledge and understanding with you.