*Paid Advertisement. Not financial advice. RugDoc is not responsible for the projects showcased here. DYOR and ape safu.

How To Revoke Permissions With MetaMask

Permission revocation with MetaMask
Table of Contents

In order to swap tokens, provide liquidity to liquidity pools, stake or interact with farms, users are required to allow smart contracts to utilize their assets. When using the MetaMask wallet, such a permission request for a farming pool looks like this:

granting permission pancakeswap

Once approved, the smart contract has the permission to use the specified amount of LP-tokens according to its strategy.

This can also be the case for regular tokens: By using platforms such as zapper.fi, users can quickly swap their tokens, let’s say USDC, to ETH and BTCB, and directly deploy them in a liquidity pool, all in one step. Zapper will then ask for permission to spend either the given amount of tokens or unlimited amount tokens, meaning the user only needs to approve the permission once. However, this brings certain risks.

Revoking permissions #

Many users have lost their assets because they weren’t aware about backdoors that were placed in smart contracts by malicious developers. What often happens is that such platforms asks the user for permission to spend an unlimited number of tokens.

When interacting with well-known defi platforms with audited smart contracts such as Pancakeswap, users typically don’t have to worry too much about this. However, in the case of recently launched defi platforms which haven’t been audited, or reviewed by RugDoc, users should be aware of the risks this brings them.

Once a platform has granted unlimited permissions to spend the users’ token, malicious developers are able to control the users’ tokens by using created backdoors in their smart contracts, even if the user has withdrawn its tokens from the platform already. What often happens next is that the malicious developers withdraw the tokens from users’ wallets into their own wallets, leaving the user with big losses.

It’s also important to keep in mind that hackers are actively trying to find vulnerabilities in smart contracts of popular defi platforms, such as what happened to Bancor, which could result in big losses for users.

Revoking permissions via DeBank #

Now that it’s clear why revoking permissions is such an important step for investors to protect their assets, let’s focus on how you can revoke permissions. In this example we will use defi dashboard DeBank because it supports the most smart contract compatible blockchains: Ethereum, BSC, xDai, Polygon, Fantom, OKExCahin and HECO.

Step 1. Connecting your wallet

The first thing you need to do is to open debank.com and connect your MetaMask wallet.

step 1 connect debank

Step 2. Go to profile

Click profile in the left menu. A new page loads which shows you all your assets and where they you have deployed them. By clicking on “All Chains”, DeBank shows all your assets across all smart contract compatible blockchains.

Step 3. Revoke permissions

Click on “Approval”. A new page loads that shows you various things such as token exposure per blockchain and the approved amount of tokens per contract. On the right side of the contract there’s a decline button. Click the decline button to revoke the permissions you gave to the smart contract.

You have now successfully revoked the permission of a smart contract! That wasn’t too hard, was it?

Other tools #

There are plenty of other tools you can utilize to revoke smart contract permissions:

  • Unrekt – supports ETH, BSC, HECO and Polygon on web and mobile.
  • BSCscan – supports BSC (In beta–temporarily down)
  • Beefy – supports BSC
  • Debank – supports ETH, BSC, xDai, Fantom, Polygon, OKEx
  • Hyperjump UnRekt – supports BSC and Fantom
  • Polygonscan – supports Polygon

Conclusion #

Smart contract permission revocation is an important step to ensure the safety of your assets in your wallet. By using simple and user friendly tools such as DeBank, it will only take you a minute revoke any permissions.

Updated on August 22, 2021
How do you feel about this article?

53 Comments

  1. I have a question when i.try to.revoke.amunof the permission I cannot within the wallet because revoking permission there is not.fee to pay in the wallet because of this it is possible to.revoke permissions unless there is something I’missing because revoking permission coat gas fees please advise thank you

  2. Hey there NivekRell and thanks for your question! Unfortunately every time to execute any function on a blockchain it will cost gas fees. There’s no way to get around this although some chains like Polygon or Solana or Celo have very inexpensive gas fees of a few pennies. Kadena is hoping to start developing on chain with gas fees that are one one millionth of a penny soon which would make them nearly gas less. I always suggest you keep at least a half of the native token in your wallet at all times for gas fees and to familiarize yourself with faucets for applicable chains if you ever run out of gas.

    • hey man! I am having a problem when claiming my staking rewards on wanaka. Aparrently I sign a contract 1 month ago in which I approved to send my rewards to the hacker every time I want to claim. Is there any solution to this ? I have tried revoking access on the bsc but is not working… any recomendations?

      • Hey! Unfortunately there’s no way to recover your funds! If you can, remove your remaining assets from the protocol and try to revoke the permission!

    • Hi Rug, in my case the smart contract call stays pending until it fails, how can i sort this out?
      Thanks in advance

      • Hello Andre, One of the possibilities here is that the blockchain is too busy, resulting in a failed transaction. Give it a day and retry.

    • I joined a mining pool and want to revoke permissions but would that stop me from gaining funds on the pool?

  5. To disconnect your metamask from DeBank you just need to click disconnect. It should look like a green circle on your website you are connected to. You should be able to select disconnect metamask on the top bar near your wallet name and address

    • Hi, Im in ring, obviously with what’s been discovered with ring, I want to revoke the smart contract.
      However by revoking permissions will I render the ability obsolete to take my daily rewards earned, into my wallet??
      Or does the smart contract need to be in place for rewards to keep being distributed??

      Thanks

  6. Hello,

    This might be a silly question, but when revoking access, does this kill any staking/lp’s that you currently have open? I wish to revoke access as a security measure, but I am unsure if I need the current ones open that I have open positions in (and wish to keep positions in)?

    Thank you for all you do!

  7. Hello!
    No, when you revoke permissions from a smart contract you do not remove the LP staked in it. To remove LP you must withdraw or emergency withdraw from the contract. when permissions are revoked you will simply be denying the contract the ability to use your funds.

  8. Hello,

    If I give permission to a smart contract to use an erc20 token, are the ETH funds on this address in any risk? Or is the risk only for the token? Can eth in any way be drained if permissions arent revoked?

    • Generally if you read the contract you give permission to when you give permission it will
      specify the token you are giving permission to spend. However, sometimes you can give permission to a contract to spend or migrate other tokens in that wallet which is why revoking permissions regularly after you leave a project is so important

    • Creating a new wallet and moving funds is the most secure option if you are concerned about fraud or a scam, however it is an extreme option since it involves extra work and giving up a wallet. Depending on the level of security you need for your risk assessment, revoking permissions is a fine option

      • I was recently hacked and my tokens were converted to bnb then withdrawn to another wallet. Is there anyway I can stop it? I am certain that my seed phrase wasn’t shared or saved in my computer. Please help.

        • Hi, please revoke permissions as described in this article. You have probably given approval to a malicious contract in the past.

  10. Hi, I’m unable to remove an “unknown project” contract using DeBank on AVAX. I’ve clicked ‘decline’ multiple times, the transaction is approved through AVAX, but the ‘unknown project’ is still showing. Googling the unknown project address shows it being referred to as an Exchange Proxy. Are there any other sites besides DeBank that remove AVAX contracts?

    • The consequence is that the contract does not have access to your wallet anymore, which basically is what you want to achieve. If you want to interact with the contract again you can re-approve it. So if you regularly interact with the contract, e.g. for swaps on an Exchange. You can also limit the permissions to a certain amount instead of unlimited approvals.
      I hope this helps.

      Stay stafe!

      • How do you limit your exposure? Where it says “infinite “ I am unable to click on that to change it.
        Thank you for this article! I never knew about this

        • Hello, You click on the decline button on DeBank and then click on the Edit Permissions line once your Metamask wallet pops up!

          • Question- So if spooky swap has unlimited access to my ETH but with a risk exposure of say 1k doesnt spooky swap need this access? Will I have to pay a fee every time I want to give it new permission? Of course for everything other than ETH network this will be cheap so you recomend we do it. But what I dont want is to pay a fee every time I need to interact with staking or an LP on ETH. ALso will this prevent spooky for something it needs to do with my wallet during staking?

          • Hey! Yes, you have to pay a fee every time you change the permission of a smart contract. Once you have staked your assets you can revoke the permission, because you don’t have the asset in your wallet anymore: it’s in the protocol.

  12. hi, i got scammed with this type of contracts yesterday, tried to clam some coins and thei dissapeared…. i checked the transaction and went to a scammer wallet,… i revoked all contracts, and clamed coins from other game just to test it, this time sucessfuly,… does this mean now mi acc is safe?!

  13. I connected Binance Smart Chain Wallet to this site. Worked great, found the unapproved contracts.
    How do I disconnect Binance Smart Chain wallet from this site? Thanks

  16. Even if permission is given, and that app has the rights to spend your tokens, does it still need your approval to move your tokens? Or it means that it can move even when I am away from the computer?

    • Hey! No, once you give permission to a contract to use your tokens (which usually are your LP-Tokens), the contract can spend your tokens at any time.

  17. is there a tutorial on how to create a smart contract? when tokens drop into our wallet automatically transfer to some secure wallet?

  18. In the case we gave permission to a Yield Optimizer like Beefy Finance, which is supposed to auto-compound future earnings on LP tokens, would the revocation preclude the future auto-compounding to work as expected ?

    • Hello Henri, You can safely revoke permissions. By revoking permissions, the contract isn’t able to spend tokens from your wallet. In this case you have deposited your tokens in the protocol so this doesn’t have any impact on the auto-compounding.

  19. Hi,

    i have been scamed on defi mining pool and lost 10k usdt. Im still on «activity » for 3 or 4 days to win 20eth rewards.. I can see my balance wallet still produce earnings that I cannot withdraw of course… What can I do and is everything is fake ? Or the earnings are real but I’ll never see this money in my wallet. I dont revoke the contract yet.

    Please can you help me and tell me what am I supposed yo do now ?

    Thanks

    • Hi, If you already know you are scammed by this pool, then yes! Get your assets out of there and revoke the permissions!

  20. Hello,

    I saw this question being asked in the comments

    Q: When revoking access, does this kill any staking/lp’s that you currently have open? I wish to revoke access as a security measure, but I am unsure if I need the current ones open that I have open positions in (and wish to keep positions in)?

    Does this mean the staking/LP will still continue as is but when you want to withdraw we can again approve the permission once again ( even though there is some gas fees associated to it). If that’s the case I think I better revoke every access from all the staking platforms and limit them by editing the permissible amount. Let me know If I am thinking in the right direction?

    Thanks for the info and I love the DEBank ( all in one place and I didn’t see it asking for any permissions to withdraw funds as such when requesting for permission)
    Regards

    • Hello Sandeep,

      When revoking access, does this kill any staking/lp’s that you currently have open? I wish to revoke access as a security measure, but I am unsure if I need the current ones open that I have open positions in (and wish to keep positions in)? – You can revoke the permissions once you have staked it: The asset is in the protocol now – not in your wallet.

      Does this mean the staking/LP will still continue as is but when you want to withdraw we can again approve the permission once again ( even though there is some gas fees associated to it). If that’s the case I think I better revoke every access from all the staking platforms and limit them by editing the permissible amount. Let me know If I am thinking in the right direction? – You are correct.

      By revoking access, the contract isn’t able to spend tokens from your wallet. This means that if you have 500 of a given token, and deposit 200 in a smart contract which you gave full permission, the contract is still able to spend the other 300 tokens in your wallet. By revoking or limiting the permission, your remaining tokens are safe.

  21. If you custom limit the amount of token which can be spent to say 100. Then what is to stop a malicious contract from spending multiple lots of 100? e.g. just keep spending 100, 100, 100, 100, 100 until it’s taken everything?

    • Hi! By setting the limit to 100, it can only spend 100 tokens. This means that once 100 tokens are spend, the contract can’t spend 100 tokens again in a new transaction.

  22. guys there is a contract that it says 1000000 aproved ammount..but it says zero risk sposure…is this ok? or should i delete revoke this one? omg thanks

  23. Question:
    I have a few tokens:
    Infinite xx Decline
    Decline is grayed out and if I hover on top of it, it tells me: Not connected to BSC.Click to switch.
    Does this mean it doesn’t have access now?
    Or do I need to click and connect to be able to decline it. What’s the correct way?

    Thanks

    • Hey Mike, It means that you need to switch your wallet connection to the Binance network. Then reload the page.

  24. Hello, I have a problem with my metamask. Every time I send BNB it is automatically transferred to another wallet without my consent, I think it’s a smart contract. but to revoke it I need BNB but i cant transfer it because they take it out automatically. does anyone have any suggestion?

    • Hey Joaquin, Could you try using a BNB faucet? See if the BNB arrives in your wallet. if not, then you should create a new wallet.

Leave a Reply

*Paid Advertisement. Not financial advice. RugDoc is not responsible for the projects showcased here. DYOR and ape safu.

Farms Review
EN
ES EN