Oct 18th, 2022 - 00:51 am
In one of our previous blog posts we told you All About Approvals. We told you about the different kinds of approvals, why they're useful, but also how they can be used to scam you. Today we'll tell you what you can do about them!
If you're a heavy crypto user or degen, chances are that you have a bunch of allowances given out to various protocols and smart contracts that you forgot all about. And on the other hand, you may have fallen victim to one of the scams outlined in our post about approvals, and inadvertently given approvals to scammers. In both of those cases - but especially in the latter - it is clear what needs to be done: revoke!
Revoking allowances is the process by which allowances are cancelled. So if you revoke an allowance that you gave to OpenSea for your Bored Apes, then Opensea will not be able to sell those apes on your behalf any more. And similarly, if you revoke an allowance that you gave to a scammer for your Cool Cats, they will not be able to take them any more.
In case of scams, chances are that they already took some of your NFTs immediately after you approved the allowance, but even in those cases it is important to revoke those allowances so that they cannot steal more in the future. However, do note that most of these scams rely on bots, and if you act quick enough, you may be able to revoke a bad approval before the scammer's automated system has a chance to pull your assets out of your wallet! In fact, we've seen it happen a few times and were able to get someone to revoke before they lost everything in the Boring Security discord! See the screenshot below? In some cases it can take bots up to 5 minutes or more to pull assets you've approved. If you realize it fast enough, and have the below sites bookmarked, you might be able to save yourself as well!
An etherscan screenshot showing a revocation mid-wallet drain that saved many Ethercards
So now that we understand the why of revoking allowances, we can get into the how. Multiple platforms exist to assist with revoking allowances, most importantly those are Revoke.cash and Etherscan (+ related explorers like PolygonScan and BscScan). Revoke.cash offers one platform with support for many different blockchains, while Etherscan has separate platforms for separate chains.
On Revoke.cash you can select the blockchain that you're using and enter your wallet address (or ENS name / Unstoppable Domain). Alternatively you can connect your wallet directly instead of entering it manually. Revoke.cash then displays a list of allowances grouped by token - if you want to view allowances for all tokens, make sure to check all the “include” checkboxes.
From here you can inspect all your allowances and revoke the ones you no longer need or do not recognize. Revoke.cash also offers the option to “update” your ERC20 token allowances. This is particularly useful when you want to limit the amount of funds that you allow a protocol to access, but not completely revoke it.
On Etherscan you will have to find the Token Approvals tool by clicking More > Tools > Token Approvals. Here you can enter your wallet address (or ENS name). You can also connect your wallet instead of entering it manually. Etherscan then displays a list of allowances - if you want to view allowances for all tokens, make sure to flip the “Show all approvals” switch.
From here you can inspect all your allowances and revoke the ones you no longer need or do not recognize. For other chains, you can repeat the same process on the respective explorers (e.g. PolygonScan).
One important thing to note as that when you revoke an approval for an NFT, you will get a prompt in Metamask that says “Revoke Approvals for ____” and for a token approval revoke for an ERC-20 it will set “Set Approval” but then down below it should say “Token amount: 0”.
If you prefer to learn through videos, BoringSecurityDAO contributor WiiMee has created these useful video guides on revoking allowances on Revoke.cash and on Etherscan.