IMPORTANT NOTE: DeBank has migrated their “Token Approval Management” feature to Rabby.io. Rabby is an open source extension wallet developed by DeBank.
In order to swap tokens, provide liquidity to liquidity pools, stake or interact with farms, users are required to allow smart contracts to utilize their assets. When using the MetaMask wallet, such a permission request for a farming pool looks like this:
Once approved, the smart contract has the permission to use the specified amount of LP-tokens according to its strategy.
This can also be the case for regular tokens: By using platforms such as zapper.fi, users can quickly swap their tokens, let’s say USDC, to ETH and BTCB, and directly deploy them in a liquidity pool, all in one step. Zapper will then ask for permission to spend either the given amount of tokens or unlimited amount tokens, meaning the user only needs to approve the permission once. However, this brings certain risks.
Revoking permissions #
Many users have lost their assets because they weren’t aware about backdoors that were placed in smart contracts by malicious developers. What often happens is that such platforms asks the user for permission to spend an unlimited number of tokens.
When interacting with well-known defi platforms with audited smart contracts such as Pancakeswap, users typically don’t have to worry too much about this. However, in the case of recently launched defi platforms which haven’t been audited, or reviewed by RugDoc, users should be aware of the risks this brings them.
Once a platform has granted unlimited permissions to spend the users’ token, malicious developers are able to control the users’ tokens by using created backdoors in their smart contracts, even if the user has withdrawn its tokens from the platform already. What often happens next is that the malicious developers withdraw the tokens from users’ wallets into their own wallets, leaving the user with big losses.
It’s also important to keep in mind that hackers are actively trying to find vulnerabilities in smart contracts of popular defi platforms, such as what happened to Bancor, which could result in big losses for users.
Revoking permissions via DeBank #
Now that it’s clear why revoking permissions is such an important step for investors to protect their assets, let’s focus on how you can revoke permissions. In this example we will use defi dashboard DeBank because it supports the most smart contract compatible blockchains: Ethereum, BSC, xDai, Polygon, Fantom, OKExCahin and HECO.
Step 1. Connecting your wallet
The first thing you need to do is to open debank.com and connect your MetaMask wallet.
Step 2. Go to profile
Click profile in the left menu. A new page loads which shows you all your assets and where they you have deployed them. By clicking on “All Chains”, DeBank shows all your assets across all smart contract compatible blockchains.
Step 3. Revoke permissions
Click on “Approval”. A new page loads that shows you various things such as token exposure per blockchain and the approved amount of tokens per contract. On the right side of the contract there’s a decline button. Click the decline button to revoke the permissions you gave to the smart contract.
You have now successfully revoked the permission of a smart contract! That wasn’t too hard, was it?
Other tools #
There are plenty of other tools you can utilize to revoke smart contract permissions:
- Unrekt – supports ETH, BSC, HECO and Polygon on web and mobile.
- BSCscan – supports BSC (In beta–temporarily down)
- Beefy – supports BSC
- Debank – supports ETH, BSC, xDai, Fantom, Polygon, OKEx
- Hyperjump UnRekt – supports BSC and Fantom
- Polygonscan – supports Polygon
Conclusion #
Smart contract permission revocation is an important step to ensure the safety of your assets in your wallet. By using simple and user friendly tools such as DeBank, it will only take you a minute revoke any permissions.