*Paid Advertisement. Not financial advice. RugDoc is not responsible for the projects showcased here. DYOR and ape safu.

How To Revoke Permissions With MetaMask

Permission revocation with MetaMask

IMPORTANT NOTE: DeBank has migrated their “Token Approval Management” feature to Rabby.io. Rabby is an open source extension wallet developed by DeBank.

In order to swap tokens, provide liquidity to liquidity pools, stake or interact with farms, users are required to allow smart contracts to utilize their assets. When using the MetaMask wallet, such a permission request for a farming pool looks like this:

granting permission pancakeswap

Once approved, the smart contract has the permission to use the specified amount of LP-tokens according to its strategy.

This can also be the case for regular tokens: By using platforms such as zapper.fi, users can quickly swap their tokens, let’s say USDC, to ETH and BTCB, and directly deploy them in a liquidity pool, all in one step. Zapper will then ask for permission to spend either the given amount of tokens or unlimited amount tokens, meaning the user only needs to approve the permission once. However, this brings certain risks.

Revoking permissions #

Many users have lost their assets because they weren’t aware about backdoors that were placed in smart contracts by malicious developers. What often happens is that such platforms asks the user for permission to spend an unlimited number of tokens.

When interacting with well-known defi platforms with audited smart contracts such as Pancakeswap, users typically don’t have to worry too much about this. However, in the case of recently launched defi platforms which haven’t been audited, or reviewed by RugDoc, users should be aware of the risks this brings them.

Once a platform has granted unlimited permissions to spend the users’ token, malicious developers are able to control the users’ tokens by using created backdoors in their smart contracts, even if the user has withdrawn its tokens from the platform already. What often happens next is that the malicious developers withdraw the tokens from users’ wallets into their own wallets, leaving the user with big losses.

It’s also important to keep in mind that hackers are actively trying to find vulnerabilities in smart contracts of popular defi platforms, such as what happened to Bancor, which could result in big losses for users.

Revoking permissions via DeBank #

Now that it’s clear why revoking permissions is such an important step for investors to protect their assets, let’s focus on how you can revoke permissions. In this example we will use defi dashboard DeBank because it supports the most smart contract compatible blockchains: Ethereum, BSC, xDai, Polygon, Fantom, OKExCahin and HECO.

Step 1. Connecting your wallet

The first thing you need to do is to open debank.com and connect your MetaMask wallet.

step 1 connect debank

Step 2. Go to profile

Click profile in the left menu. A new page loads which shows you all your assets and where they you have deployed them. By clicking on “All Chains”, DeBank shows all your assets across all smart contract compatible blockchains.

Step 3. Revoke permissions

Click on “Approval”. A new page loads that shows you various things such as token exposure per blockchain and the approved amount of tokens per contract. On the right side of the contract there’s a decline button. Click the decline button to revoke the permissions you gave to the smart contract.

You have now successfully revoked the permission of a smart contract! That wasn’t too hard, was it?

Other tools #

There are plenty of other tools you can utilize to revoke smart contract permissions:

  • Unrekt – supports ETH, BSC, HECO and Polygon on web and mobile.
  • BSCscan – supports BSC (In beta–temporarily down)
  • Beefy – supports BSC
  • Debank – supports ETH, BSC, xDai, Fantom, Polygon, OKEx
  • Hyperjump UnRekt – supports BSC and Fantom
  • Polygonscan – supports Polygon

Conclusion #

Smart contract permission revocation is an important step to ensure the safety of your assets in your wallet. By using simple and user friendly tools such as DeBank, it will only take you a minute revoke any permissions.

Updated on May 23, 2022
How do you feel about this article?

86 Comments

  1. I have a question when i.try to.revoke.amunof the permission I cannot within the wallet because revoking permission there is not.fee to pay in the wallet because of this it is possible to.revoke permissions unless there is something I’missing because revoking permission coat gas fees please advise thank you

  2. Hey there NivekRell and thanks for your question! Unfortunately every time to execute any function on a blockchain it will cost gas fees. There’s no way to get around this although some chains like Polygon or Solana or Celo have very inexpensive gas fees of a few pennies. Kadena is hoping to start developing on chain with gas fees that are one one millionth of a penny soon which would make them nearly gas less. I always suggest you keep at least a half of the native token in your wallet at all times for gas fees and to familiarize yourself with faucets for applicable chains if you ever run out of gas.

    • hey man! I am having a problem when claiming my staking rewards on wanaka. Aparrently I sign a contract 1 month ago in which I approved to send my rewards to the hacker every time I want to claim. Is there any solution to this ? I have tried revoking access on the bsc but is not working… any recomendations?

      • Hey! Unfortunately there’s no way to recover your funds! If you can, remove your remaining assets from the protocol and try to revoke the permission!

      • Hello Andre, One of the possibilities here is that the blockchain is too busy, resulting in a failed transaction. Give it a day and retry.

        • I have my whole defi taken but says it’s in polygon network although contract shows cookie can it be retrieved because it says I have 3 days before liquidation

    • Please help!

      As soon as I put some Ethereum into my Metamask wallet it disappears almost immediately!

      I have connected the wallet to revoke.cash and also to Debank and there is zero Ethereum? t

      I need that particular Ethereum address for a reason . What can I do ?

      • Hello Yeldar, It seems like you gave a malicious smart contract permissions to access your wallet. Because the contract automatically withdraws all ETH that is deposited on your wallet, you won’t be able to revoke the permissions due to the need of ETH to pay for the gas fees.

        • Thank you for replying to my message.

          Is a malicious smart contract completely different to a smart contract?

          Regards

  3. To disconnect your metamask from DeBank you just need to click disconnect. It should look like a green circle on your website you are connected to. You should be able to select disconnect metamask on the top bar near your wallet name and address

    • Hi, Im in ring, obviously with what’s been discovered with ring, I want to revoke the smart contract.
      However by revoking permissions will I render the ability obsolete to take my daily rewards earned, into my wallet??
      Or does the smart contract need to be in place for rewards to keep being distributed??

      Thanks

      • If I revoke permission but after succeed the process I realize that was my mistake can I reverse the process? Or how can I give the permissions again?

        • Hello Albert,

          You can give the contract permissions again by reconnecting to it. The easiest way to do this is by opening the contract address in a blockchain explorer (eg. etherscan).

  4. Hello,

    This might be a silly question, but when revoking access, does this kill any staking/lp’s that you currently have open? I wish to revoke access as a security measure, but I am unsure if I need the current ones open that I have open positions in (and wish to keep positions in)?

    Thank you for all you do!

  5. Hello!
    No, when you revoke permissions from a smart contract you do not remove the LP staked in it. To remove LP you must withdraw or emergency withdraw from the contract. when permissions are revoked you will simply be denying the contract the ability to use your funds.

  6. Hello,

    If I give permission to a smart contract to use an erc20 token, are the ETH funds on this address in any risk? Or is the risk only for the token? Can eth in any way be drained if permissions arent revoked?

    • Generally if you read the contract you give permission to when you give permission it will
      specify the token you are giving permission to spend. However, sometimes you can give permission to a contract to spend or migrate other tokens in that wallet which is why revoking permissions regularly after you leave a project is so important

    • Creating a new wallet and moving funds is the most secure option if you are concerned about fraud or a scam, however it is an extreme option since it involves extra work and giving up a wallet. Depending on the level of security you need for your risk assessment, revoking permissions is a fine option

      • I was recently hacked and my tokens were converted to bnb then withdrawn to another wallet. Is there anyway I can stop it? I am certain that my seed phrase wasn’t shared or saved in my computer. Please help.

  7. Hi, I’m unable to remove an “unknown project” contract using DeBank on AVAX. I’ve clicked ‘decline’ multiple times, the transaction is approved through AVAX, but the ‘unknown project’ is still showing. Googling the unknown project address shows it being referred to as an Exchange Proxy. Are there any other sites besides DeBank that remove AVAX contracts?

    • The consequence is that the contract does not have access to your wallet anymore, which basically is what you want to achieve. If you want to interact with the contract again you can re-approve it. So if you regularly interact with the contract, e.g. for swaps on an Exchange. You can also limit the permissions to a certain amount instead of unlimited approvals.
      I hope this helps.

      Stay stafe!

      • How do you limit your exposure? Where it says “infinite “ I am unable to click on that to change it.
        Thank you for this article! I never knew about this

        • Hello, You click on the decline button on DeBank and then click on the Edit Permissions line once your Metamask wallet pops up!

          • Question- So if spooky swap has unlimited access to my ETH but with a risk exposure of say 1k doesnt spooky swap need this access? Will I have to pay a fee every time I want to give it new permission? Of course for everything other than ETH network this will be cheap so you recomend we do it. But what I dont want is to pay a fee every time I need to interact with staking or an LP on ETH. ALso will this prevent spooky for something it needs to do with my wallet during staking?

          • Hey! Yes, you have to pay a fee every time you change the permission of a smart contract. Once you have staked your assets you can revoke the permission, because you don’t have the asset in your wallet anymore: it’s in the protocol.

  8. hi, i got scammed with this type of contracts yesterday, tried to clam some coins and thei dissapeared…. i checked the transaction and went to a scammer wallet,… i revoked all contracts, and clamed coins from other game just to test it, this time sucessfuly,… does this mean now mi acc is safe?!

  9. I connected Binance Smart Chain Wallet to this site. Worked great, found the unapproved contracts.
    How do I disconnect Binance Smart Chain wallet from this site? Thanks

  10. Even if permission is given, and that app has the rights to spend your tokens, does it still need your approval to move your tokens? Or it means that it can move even when I am away from the computer?

    • Hey! No, once you give permission to a contract to use your tokens (which usually are your LP-Tokens), the contract can spend your tokens at any time.

  11. is there a tutorial on how to create a smart contract? when tokens drop into our wallet automatically transfer to some secure wallet?

  12. In the case we gave permission to a Yield Optimizer like Beefy Finance, which is supposed to auto-compound future earnings on LP tokens, would the revocation preclude the future auto-compounding to work as expected ?

    • Hello Henri, You can safely revoke permissions. By revoking permissions, the contract isn’t able to spend tokens from your wallet. In this case you have deposited your tokens in the protocol so this doesn’t have any impact on the auto-compounding.

  13. Hi,

    i have been scamed on defi mining pool and lost 10k usdt. Im still on «activity » for 3 or 4 days to win 20eth rewards.. I can see my balance wallet still produce earnings that I cannot withdraw of course… What can I do and is everything is fake ? Or the earnings are real but I’ll never see this money in my wallet. I dont revoke the contract yet.

    Please can you help me and tell me what am I supposed yo do now ?

    Thanks

  14. Hello,

    I saw this question being asked in the comments

    Q: When revoking access, does this kill any staking/lp’s that you currently have open? I wish to revoke access as a security measure, but I am unsure if I need the current ones open that I have open positions in (and wish to keep positions in)?

    Does this mean the staking/LP will still continue as is but when you want to withdraw we can again approve the permission once again ( even though there is some gas fees associated to it). If that’s the case I think I better revoke every access from all the staking platforms and limit them by editing the permissible amount. Let me know If I am thinking in the right direction?

    Thanks for the info and I love the DEBank ( all in one place and I didn’t see it asking for any permissions to withdraw funds as such when requesting for permission)
    Regards

    • Hello Sandeep,

      When revoking access, does this kill any staking/lp’s that you currently have open? I wish to revoke access as a security measure, but I am unsure if I need the current ones open that I have open positions in (and wish to keep positions in)? – You can revoke the permissions once you have staked it: The asset is in the protocol now – not in your wallet.

      Does this mean the staking/LP will still continue as is but when you want to withdraw we can again approve the permission once again ( even though there is some gas fees associated to it). If that’s the case I think I better revoke every access from all the staking platforms and limit them by editing the permissible amount. Let me know If I am thinking in the right direction? – You are correct.

      By revoking access, the contract isn’t able to spend tokens from your wallet. This means that if you have 500 of a given token, and deposit 200 in a smart contract which you gave full permission, the contract is still able to spend the other 300 tokens in your wallet. By revoking or limiting the permission, your remaining tokens are safe.

  15. If you custom limit the amount of token which can be spent to say 100. Then what is to stop a malicious contract from spending multiple lots of 100? e.g. just keep spending 100, 100, 100, 100, 100 until it’s taken everything?

    • Hi! By setting the limit to 100, it can only spend 100 tokens. This means that once 100 tokens are spend, the contract can’t spend 100 tokens again in a new transaction.

  16. guys there is a contract that it says 1000000 aproved ammount..but it says zero risk sposure…is this ok? or should i delete revoke this one? omg thanks

  17. Question:
    I have a few tokens:
    Infinite xx Decline
    Decline is grayed out and if I hover on top of it, it tells me: Not connected to BSC.Click to switch.
    Does this mean it doesn’t have access now?
    Or do I need to click and connect to be able to decline it. What’s the correct way?

    Thanks

  18. Hello, I have a problem with my metamask. Every time I send BNB it is automatically transferred to another wallet without my consent, I think it’s a smart contract. but to revoke it I need BNB but i cant transfer it because they take it out automatically. does anyone have any suggestion?

    • Hey Joaquin, Could you try using a BNB faucet? See if the BNB arrives in your wallet. if not, then you should create a new wallet.

        • Hey Benelcom, it seems like you gave full permissions to a malicious smart contract. If it keeps eating your BNB the only solution would be to create a new wallet. Regarding the faucet, this is usually a website where you can get a tiny amount of BNB for free, just enough to pay the transaction fees for a few transactions.

      • Hi
        I have a same problem likeJoaquin whhene i sent bnb to my wallet they transferred automatically to another wallet. But bnb faucet arrived. Any help

  19. Won’t revoking permissions for StrongBlock mean I’d have to spend another amount of ETH (usually $20) just to approve any future transaction, in addition to the transaction gas fees? That’s going to be so expensive.

    • Hello! Yes that’s true. Doing this for smart contracts on the Ethereum blockchain will cost you, but it’s better than the chance of losing all your assets.

  20. Hi Rug,

    If I see nothing in the approval section i’m safe ? I gave permission to something that turned out a scam coin, but I don’t see any permissions in the approval tab.

    Thanks.

  21. Hey Rug,

    I am trying really hard to revoke all the contracts I have with my metamask but it seems like one of them wont disappear even after paying the gas fees 3 times. Another one shows gas fees around 140 dollars for revoking the contract which is crazy. Any idea what to do?

    • Hello Max, Are these contracts deployed on the Ethereum mainnet? If so, then that would explain the high gas fees. Could you check if the “transaction” for that one contract was completed? What could have happened is that the transaction failed, but you still paid the gas fees for it.

  22. Thank you for replying to my message.

    Is a malicious smart contract completely different to a smart contract?

    Regards

    • Hello Yeldar,

      No, It’s like a regular smart contract. However, it contains some malicious coding that grants the contract owner access to your wallet.

      • I’m a presale dome holder and recently was scammed out of roughly $10000 usd. I was on telegram and a airdrop link to receive free dome was advertised with the option of connecting your wallet to the site.
        After doing so it asked if I gave that particular wallet address permission to access my dome tokens and thinking it was legitimate, I confirmed. Nothing happened immediately but after seeing others talk about the website being a scam I started trying to transfer some
        of my dome that was staked but connected to the same MetaMask wallet and soon as the funds hit my MetaMask wallet it immediately was gone. All of my staked dome is still in my account but it’s connected to the compromised wallet. Am I still at risk of the scammers accessing
        my account through staking or is there any way to change my staked account address on everdome so it won’t send to the compromised MetaMask wallet or can I change it to send to a different wallet? The $10000 usd loss was devastating enough, just trying to keep the rest
        of my staked funds safe. Any help is very much appreciated. 

        • Hello Mike, I’m sorry to hear this. Unfortunately, you should consider your assets to be lost. I would advise you to create a new wallet.

      • Also, If I revoke access to my token address to a scammer I’d my act still at risk? Also is there a way scammers token contract to be permanently compromised?

  23. The explanation above in the text is about how to see the approvals and decline them through DeBank. However, when you enter Debank and want to see the approval, it says “get Rabby”. You need to get Rabby, connect to metamask and then you can see the approvals given and you can decline them. So, seeing the approvals and declining them, is not done through Debank anymore, but through Rabby. Did I understand this correct?

  24. Revoking permission is something we should be abled to do free, there should be no ties between miner /developers who approved the contract as soon as the transaction is finished, 40$ to revoke a contract is just not fair at all.

  25. Existe alguna forma de revocar todos ls contratos sin que genere costo de fees? Tengo un contrato malicioso en mi wallet y cuando deposito BNB a mi wallet el contrato inteligente los pasa automáticamente a la billetera del ladrón. Es por eso que no puedo revocar ni hacer nada con mi billetera.

    • Hola Manu. Desafortunadamente no hay nada que puedas hacer en esta situación. Considere que sus activos están perdidos y cree una nueva billetera.

  26. Hi there…

    Everytime i finish on a defi site, I disconnect from that site. ( I move to the ‘connected sites’ tab in Metamask and individually disconnect from each site as habbit to help maintain security).

    Is this different from revoking a contract ? I assume it is.
    Or does this also revoke any contract associated with that site?
    I have previously gone into Debank (prior to the Rabit change/upgrade) and I had no contracts available to revoke on any of the numerous sites that I have visited or conracts that I have previously interacted with.

    So my question is…. is this the same thing ? Or am i just disconnecting my wallet from that particular site ? In which case the contract still has XYZ permission on my wallet.

    I also use a Ledger hardware wallet. Every transaction is authorised throught the Ledger. Can i assume that malicous contracts will only work if i have previously approved them (or do so in the future) on my ledger?
    IE: a dev updates a contract on a project to steal everyone funds in there wallets and rugs the contract. Will the new contract need reapproval from my hardware wallet to be able to complete XYZ malicious activity OR because or pre approval to that contract it can just run rampant…?

    Thanks for your help and for providing transparancy in what is a pitfall of bad actors and traps for rookies.

    Adam

    • Hello Adam,
      Correct, connecting your wallet to a website is usually different than connecting your wallet to a contract through a website (however, some scammers make you believe that you connect to their website while you are actually connecting to their malicious contract).
      Keep in mind that once you have given access to a certain contract, the contract can indeed just run rampant.

  27. Hello,

    Does a malicious smart contract always drain your wallet immediately upon funds being deposited into the [email protected]…or….sometimes is there a 5 ,10..15 minute delay before it pounces?

    • Hello Yeldar, you have given a malicious contract access to your wallet. There’s no way of saving it. Create a new wallet.

Leave a Reply

*Paid Advertisement. Not financial advice. RugDoc is not responsible for the projects showcased here. DYOR and ape safu.

EN