5 minutes
Oct 9th, 2022 - 14:01 pm
Approvals often get demonized in the NFT space. With community members demanding larger bold red letters from wallet providers, and demanding answers from market platforms, there is understandably a lot of anxiety surrounding them.
But quite honestly, web3 would be hardly possible at all without them. If you have ever made a sale on an NFT platform, or made an offer on an NFT collection, you are already harnessing the power of approvals. Through approvals, you can setup conditions off-chain, where your deals will atomically execute when predetermined conditions are met, such as your listing amount being hit, or someone accepting your wETH offer.
This allows you to do other things with the asset (like prove ownership) and list on other marketplaces as well. If approvals didn't exist, you'd need a platform that had either full custody of payment assets, NFT assets, or both. In that case, you wouldn't be able to list on multiple marketplaces and have all the benefits of holding the asset!
So what exactly does an approval do? Approvals give smart contracts the ability to interact with your tokens (ERC-20, NFTs, etc). They can pull them at will, based on parameters set in the smart contract.
When it comes to NFT Collections in the ERC-1155, ERC-721 or ERC-721a standards, all have the following mechanism for approval. These standards usually have both an Approval and Set Approval for All (SAFA) method, but the unfortunate part is that scammers and marketplaces leverage the more dangerous, latter of the two.
Set Approval For All: Approves all assets in a given wallet address for an entire NFT collection to a single address (usually a contract/NFT marketplace)
Approval: Approves a single asset in a given wallet address from an NFT collection to a single address (not used often in NFTs).
The scams related to these Approvals revolve around two things:
Note: The reason they try for signatures first before transactions is because many people don't know your assets can be stolen with a malicious signature (where you pay no gas) that leverages your legitimate approvals.
See a pattern here? Getting you to an untrusted website is the name of the game here. In our Wallet for Every occasion article we stress that going to an untrusted website with your Sell Wallet should never be done, and going to an untrusted website with your vault wallet (a wallet that has no approvals) should only be doing gasless signatures as described in our Safe Signing 101 article.
So what is actually happening when you set an approval? We are actually calling the “Approve” method the same way we would in Etherscan (by the way, we have a great article on Etherscan Basics here). Let's take a look at the Apecoin contract to help visualize what is happening:
Every time you make an approval, really all you are doing is adding another authorized spender to the assets that exist in your wallet. By default, you, the wallet owner, typically have access to send/receive tokens within your wallet if the tokens conform to a widely accepted token standard like ERC-20, ERC-721, or ERC-1155. However, as our 102 students quickly learn, you can create token contracts where different rules might apply 😈.
Here is a list of how the different approve methods work on each contract type:
Function: Approve
Function: SetApprovalForAll
Examples: BAYC, Azuki, Doodles
Function: SetApprovalForAll
Note: There is no approval method in the ERC-1155 standard. This means that when you make an approval on an ERC-1155 contract, you are approving it for ALL of that token. To me this seems like an oversight, but I understand it.
Examples: Boring Security, Adidas: Into The Metaverse
Function: Approve
Function: IncreaseAllowance (Not all ERC-20 Tokens have this).
Note: Increase Allowance can often times be called when there is no approval set to the spender's address, allowing it to function as an approval. Watch out for this one!
Examples: Apecoin, Wrapped Ethereum, AAVE (Proxy)
Now normally, smart contracts first need one of the above approval methods to be called in order to be pulled from your wallet. In the world of high gas fees this is a problem because it means in order to have one of your tokens interact with a smart contract, or to be pulled from your wallet as part of an atomic settlement, two transactions will need to be made in order to close out these transactions. Additionally, approvals left open can create a security risk in case of old contracts getting exploited, or those approvals being leveraged by bad actors. Enter Permit and Permit2.
Permit is a primitive that exists as an extension of the ERC-20 token standard. New tokens will often adopt this standard as part of their contract. While this is convenient, it can be scary as it DOES mean that your “Permittable tokens” can be approved with a simple gasless signature, adding message-signing risk that tools like revoke.cash can't even remove! Want to know if you own tokens that is “Permittable by default”? Some notable tokens that fall into this list are: $USDC, $stETH, $DAI and some major DeFi tokens such as $AAVE, $UNI and $BAL on ETH Mainnet. There are a few repositories which track the tokens that have permit built-in. You can cross-reference your tokens with the ones found on this list, or this one. You can learn more about Permit in this awesome article by AfterDark Labs.
Permit2 on the other hand is something every token can use. It just requires you to first approve that token to the Permit2 contract. It allows for all the same benefits after the initial approval, such as:
You can learn more about Permit2 in this module by our friends over at Revoke.Cash, or on the official Uniswap Labs blog!
Approval scams are the most commons scams in the NFT space today. This scam most often shows up in:
I think you can see a pattern emerging in all of these scams where approvals (legitimate or malicious) are leveraged maliciously. A big part of these scams is also Phishing. Maybe you think you're headed to Opensea, but take a look at our “Phishing & Tactics by Scammers” article to learn more on scammer's dirty dirty tactics to trick you into giving them your hard earned tokens! Want to learn more about approvals or think you might have too many approvals? Check out this article by Revoke.Cash on Revoking Approvals!
Have any questions or want to learn more about web3 security and stay up to date on the most current security information, scams, and tactics? Join us in our discord at https://discord.gg/boringsecurity .