Oct 9th, 2022 - 14:01 pm
Approvals often get demonized in the NFT space. With community members demanding larger bold red letters from wallet providers, and demanding answers from market platforms, there is understandably a lot of anxiety surrounding them.
But quite honestly, web3 would be hardly possible at all without them. If you have ever made a sale on an NFT platform, or made an offer on an NFT collection, you are already harnessing the power of approvals. Through approvals, you can setup conditions off-chain, where your deals will atomically execute when predetermined conditions are met, such as your listing amount being hit, or someone accepting your wETH offer.
This allows you to do other things with the asset (like prove ownership) and list on other marketplaces as well. If approvals didn't exist, you'd need a platform that had either full custody of payment assets, NFT assets, or both. In that case, you wouldn't be able to list on multiple marketplaces and have all the benefits of holding the asset!
So what exactly does an approval do? Approvals give smart contracts the ability to interact with your tokens (ERC-20, NFTs, etc). They can pull them at will, based on parameters set in the smart contract.
When it comes to NFT Collections in the ERC-1155, ERC-721 or ERC-721a standards, all have the following mechanism for approval. These standards usually have both an Approval and Set Approval for All (SAFA) method, but the unfortunate part is that scammers and marketplaces leverage the more dangerous, latter of the two.
Set Approval For All: Approves all assets in a given wallet address for an entire NFT collection to a single address (usually a contract/NFT marketplace)
Approval: Approves a single asset in a given wallet address from an NFT collection to a single address (not used often in NFTs).
The scams related to these Approvals revolve around two things:
Note: The reason they try for signatures first before transactions is because many people don't know your assets can be stolen with a malicious signature (where you pay no gas) that leverages your legitimate approvals.
See a pattern here? Getting you to an untrusted website is the name of the game here. In our Wallet for Every occasion article we stress that going to an untrusted website with your Sell Wallet should never be done, and going to an untrusted website with your vault wallet (a wallet that has no approvals) should only be doing gasless signatures as described in our Safe Signing 101 article.
So what is actually happening when you set an approval? We are actually calling the “Approve” method the same way we would in Etherscan (by the way, we have a great article on Etherscan Basics here). Let's take a look at the Apecoin contract to help visualize what is happening:
Every time you make an approval, really all you are doing is adding another authorized spender to the assets that exist in your wallet. By default, you, the wallet owner, typically have access to send/receive tokens within your wallet if the tokens conform to a widely accepted token standard like ERC-20, ERC-721, or ERC-1155. However, as our 102 students quickly learn, you can create token contracts where different rules might apply 😈.
Here is a list of how the different approve methods work on each contract type:
Note: There is no approval method in the ERC-1155 standard. This means that when you make an approval on an ERC-1155 contract, you are approving it for ALL of that token. To me this seems like an oversight, but I understand it.
Function: IncreaseAllowance (Not all ERC-20 Tokens have this).
Note: Increase Allowance can often times be called when there is no approval set to the spender's address, allowing it to function as an approval. Watch out for this one!
Approval scams are the most commons scams in the NFT space today. This scam most often shows up in:
I think you can see a pattern emerging in all of these scams where approvals (legitimate or malicious) are leveraged maliciously. A big part of these scams is also Phishing. Maybe you think you're headed to Opensea, but take a look at our “Phishing & Tactics by Scammers” article to learn more on scammer's dirty dirty tactics to trick you into giving them your hard earned tokens! Want to learn more about approvals or think you might have too many approvals? Check out this article by Revoke.Cash on Revoking Approvals!
Have any questions or want to learn more about web3 security and stay up to date on the most current security information, scams, and tactics? Join us in our discord at https://discord.gg/boringsecurity .