Revoke MetaMask Token Approvals to Prevent Exploits
Every ERC-20 swap, every NFT listing, every liquidity provision leaves a fingerprint in the form of a token allowance — a standing permission that tells a smart contract it may move a specific quantity of your assets at a later point in time.
The problem is persistence. Those allowances do not expire by default. They sit in contract storage, queryable by any front-end or off-chain indexer, and exploitable by the original spender — or by whoever acquires the spender's private keys, takes over the spender's contract logic, or replicates the spender's address through a phishing clone. Wallet drainer kits sold on underground markets now include a module that scans a victim's approval history and triggers `transferFrom` against the most lucrative allowances the moment the victim signs a single malicious transaction. The user thinks they are approving a new mint; the drainer is executing on permissions granted months or years ago. The pattern has become a structural feature of the threat landscape, and the mitigations exist — they are simply not practiced at scale.
The Hidden Danger of Smart Contract Allowances
To understand the threat, you need to understand the accounting primitive. The ERC-20 standard includes two functions that together govern delegated spending: `approve(spender, amount)` and `transferFrom(from, to, amount)`. When a user calls `approve` on a token contract, they are writing a tuple `(owner, spender, amount)` into the token contract's storage. That tuple authorizes the spender contract to call `transferFrom` on the user's behalf, up to the specified amount, until either the allowance is consumed or the user issues a new `approve` transaction that overwrites it.
The original specification allowed for any positive integer. Early DEX front-ends defaulted to the maximum representable value (`2^256 - 1`, the "infinite approval") precisely because the alternative — approving the exact transaction amount each time — required an extra transaction per swap, roughly doubling the gas cost of a trade. The trade-off was understood at the protocol level: convenience over hygiene. What was not adequately modeled was the long-tail consequence of an unbounded allowance to a contract that, years later, might be compromised, deprecated, or replaced by a malicious upgrade.
An ERC-20 allowance is not a session key that expires when you close the tab. It is a persistent write to contract storage that survives indefinitely and transfers risk to whoever holds the spender's signing authority.
Three structural factors compound the problem. First, the allowance is stored on the *token* contract, not on the spender, which means revoking it requires an on-chain write from the owner's wallet — there is no server-side off switch. Second, wallets like MetaMask display allowances in the confirmation screen but historically have not surfaced them in a persistent permissions view, so the user has no native affordance for auditing them. Third, the set of spenders accumulates: a typical DeFi user who has interacted with five to ten protocols over two years will have a comparable number of live allowances, the majority of which are forgotten and unnecessary for ongoing operation.
The result is what security researchers call *standing attack surface* — a portfolio of permissions that, by themselves, are inert, but that can be weaponized the instant any single one of those spenders falls under adversarial control.
Identifying High-Risk Permissions
Not all allowances are equal. The risk profile of a given approval is a function of three variables: the spender's trust status, the allowance amount, and the asset's value and liquidity.
Spender trust status is the dominant signal. An `approve` call to a contract you are about to interact with, in the same transaction, is low risk by construction — the spender cannot do anything until the transaction is mined, and you have just chosen to trust it. An `approve` call to a contract you interacted with eighteen months ago, whose governance has since changed, whose admin keys were transferred, or which has been deprecated in favor of a new implementation, is high risk. The defining question is whether the entity currently holding the spender's signing authority still warrants the same trust you extended to the entity that originally deployed it.
Allowance amount is the second signal. A bounded allowance limits the worst case. An infinite allowance transfers the entire token balance at risk. This is why infinite approvals are the primary target of automated drainer tooling.
Asset value and liquidity is the third. An infinite approval for a token with no liquidity and no market is theoretically complete but practically worthless. An infinite approval for USDC, USDT, WETH, or any major pool token is a live, exploitable liability.
| Risk Indicator | Low Risk | High Risk |
|---|---|---|
| Spender relationship | Active, currently used protocol | Dormant, deprecated, or unknown |
| Allowance amount | Bounded to specific value | Unlimited (`2^256 - 1`) |
| Asset profile | Low-liquidity or valueless token | High-liquidity stablecoin or blue-chip |
| Time since last interaction | Recent (days) | Long-tail (months or years) |
| Contract upgradeability | Immutable or timelock-gated | Upgradeable proxy with admin keys |
A practical heuristic: any approval where two or more of the high-risk cells apply should be revoked on a routine cycle. Any approval where all five apply — dormant spender, infinite amount, blue-chip asset, long-tail dormancy, upgradeable contract — is a critical priority.
Step-by-Step: Cleaning Up Approvals via Etherscan and Revoke.cash
Two paths are dominant in the current ecosystem: the Etherscan token approval checker and the Revoke.cash dashboard. Both achieve the same end state — an on-chain `approve(spender, 0)` transaction that resets the allowance to zero — but they differ in interface, scope, and trust assumptions.
The Etherscan path is the lower-trust option because it does not require connecting a wallet to a third-party front-end. The user navigates to the relevant Etherscan deployment, opens the "More" menu in the top navigation, and selects "Token Approval." The tool queries the token contract directly for all `Approval` events involving the connected address and returns a per-spender view. Each row exposes the spender address, the approved amount, and the underlying token. Revocation is initiated by clicking the "Revoke" button, which constructs a zero-allowance transaction and presents it to the connected wallet for signing. Because the transaction is an `approve` call to the token contract, it pays gas to the token contract's network, not to Etherscan.
The Revoke.cash path is broader in scope. The dashboard supports multiple EVM networks — Ethereum mainnet, Arbitrum, Optimism, Base, Polygon, BNB Chain, and others — and aggregates approvals across all of them. It also surfaces some approval types that the Etherscan tool does not index, including certain `IncreaseAllowance` patterns and some non-standard permit-based authorizations. The trade-off is that the user is trusting Revoke.cash's indexer to read the chain state correctly and to construct a valid revocation transaction. The service has become a widely referenced tool in the security ecosystem; the smart contract calls it generates are standard and verifiable on a block explorer before signing.
Revocation is an on-chain state transition, not a settings toggle. It requires a signed transaction, costs gas, and creates a permanent record on the network that the allowance was zeroed.
A third path, increasingly supported, is the wallet-native permission view. MetaMask's Portfolio interface and the Snaps extension ecosystem have both added approval dashboards in recent versions. The convenience is real; the coverage is still narrower than the dedicated tools, and the indexer behavior is less transparent than Etherscan's read-from-chain approach.
| Tool | Networks Supported | Wallet Connection | Trust Model |
|---|---|---|---|
| Etherscan Token Approval | Ethereum mainnet (others via per-chain explorers) | Read-only to query, signed tx to revoke | Low — direct RPC to token contract |
| Revoke.cash | All major EVMs | Wallet connect to revoke | Medium — depends on indexer accuracy |
| MetaMask Portfolio | Ethereum, selected L2s | Native to wallet | Low — wallet vendor's own indexer |
For users holding assets across multiple L2s, Revoke.cash is the most efficient single entry point. For users on Ethereum mainnet only who prefer to minimize third-party trust surface, the Etherscan path is the more conservative choice. The two tools can be used in combination — Etherscan to audit, Revoke.cash to sweep.
The Role of Gas Fees in Security Maintenance
Every revocation is an on-chain transaction, and every on-chain transaction costs gas. The economic calculus is straightforward: the cost of a revocation must be lower than the expected loss from leaving the allowance in place. For high-value wallets, this is almost always true. For low-value wallets, the calculus narrows, and users historically under-revoke as a result — a rational but underappreciated contributor to the long tail of compromised addresses.
The practical mitigation is to batch revocations and execute them during low-congestion windows. A typical ERC-20 `approve(spender, 0)` costs between 25,000 and 45,000 gas depending on whether storage slots are cold or warm. A full sweep of ten allowances therefore costs roughly 300,000–450,000 gas in transaction base cost, plus the priority fee at the moment of execution. On Ethereum mainnet during a quiet period, this translates to a few dollars per sweep; at peak congestion, the same operation can run into the tens of dollars.
The strategic implication is that approval hygiene is a cost-center for the user and, as such, is most effectively performed on a scheduled basis — for example, once per quarter — rather than reactively after a wallet drainer campaign has already identified the user as a target. The defenses of last resort, executed in a panic after the drainer's domain is already known, are expensive precisely because everyone is doing the same thing at the same time, and gas spikes accordingly. Scheduled maintenance is cheaper and more thorough.
The `setApprovalForAll` Threat to NFT Collections
The ERC-721 standard introduces a function that is structurally more dangerous than its fungible-token analog. `setApprovalForAll(operator, approved)` grants a single address permission to transfer *every* NFT in the caller's wallet that belongs to a given collection. There is no amount field. The permission is binary: the operator can move the entire collection, indefinitely, until the user issues a matching `setApprovalForAll(operator, false)`.
Marketplaces rely on this. OpenSea, Blur, LooksRare, and other secondary platforms request `setApprovalForAll` to enable listing flows where the user can list multiple NFTs in a single transaction, and the marketplace can later execute the transfer when a buyer is found. The pattern is architecturally sound — bounded by the marketplace's operator key and the user's ability to revoke. The problem, as with fungible allowances, is persistence and recovery: most users who granted marketplace-wide approvals in the earlier waves of NFT adoption have not revisited them, and a number of those marketplaces have since shut down, been acquired, or had their operator keys transferred in ways that are not transparently disclosed.
`setApprovalForAll` is the NFT equivalent of handing someone a copy of your house key and telling them they can come in at any time to collect anything they want. The pattern works because the recipient is trusted at the moment of granting. The pattern fails when that trust is no longer warranted.
Revocation of `setApprovalForAll` follows the same mechanical pattern as ERC-20 — a transaction setting `approved` to `false` — and is supported by both Etherscan and Revoke.cash. The UI in both tools will show these permissions as separate from token allowances, often under a labeled "NFT approvals" section. Operators like the historical OpenSea registry and other marketplace contracts should be reviewed individually; if the marketplace is not currently in use, the approval should be revoked, and re-issued only at the moment of the next listing.
Long-Term Implications for Wallet Hygiene and Security Culture
The allowance model is a legacy design choice that pre-dates the current threat environment. It is unlikely to be replaced at the token standard level in the near term — the installed base of ERC-20 and ERC-721 contracts is too large, and the proposed alternatives (EIP-2612 `permit` signatures, session keys, scoped delegations, account abstraction with bounded session keys) all carry their own trade-offs in terms of compatibility, gas cost, or signature surface. What is changing is the tooling and the user expectation.
The deeper shift is institutional. Auditors, regulators, and custody providers are beginning to treat standing allowances as a measurable risk factor. Compliance frameworks under development — including certain MiCA-aligned guidance and the operational standards being drafted by several large custodians — are likely to mandate periodic approval audits as a baseline control for any wallet holding customer assets. For the individual user, the practical question is not whether to revoke but how often, and against which threshold of asset value.
The most durable defense, however, remains individual hygiene. An `approve` is a contract with the chain, and contracts require maintenance — scheduled, deliberate, and scoped to the actual operational footprint of the wallet. The cost is small and predictable. The cost of leaving a high-value allowance to a deprecated contract is not.