Revoke token approvals on EVM: how to audit allowances safely (checklist)
Old ERC-20/NFT approvals are a common attack surface. This practical guide explains what approvals mean, when to revoke, and a repeatable audit routine to reduce blast radius.
Table of Contents
- Conclusion
- Explanation
- Practical Guide
- Step 1: confirm context
- Step 2: open a reputable approval viewer
- Step 3: for each approval, check two fields
- Step 4: revoke in priority order
- Step 5: re-approve only what you need
- Pitfalls
- Checklist
- FAQ
- Q1. Should I revoke everything?
- Q2. Why does revoking help if the dApp is legit?
- Q3. I revoked but still got drained—how?
- Internal links
- References
- Disclaimer
How do you review and revoke token approvals on EVM safely?
Conclusion
Approvals are often the real drain path. A safe default is:
- revoke unknown, unused, or unlimited approvals
- re-approve only minimal amounts when needed
A repeatable routine:
- confirm chain + account
- open a reputable approval viewer (avoid ads)
- review spender + allowance
- revoke in priority order
Explanation
ERC-20 approve(spender, amount) means:
- the spender can call
transferFromand move up toamountof your token
It’s not a transfer, so it feels harmless. But if the spender contract is malicious or later exploited, leftover approvals can drain funds.
NFT approvals can be worse:
setApprovalForAllcan expose an entire collection.
Practical Guide
Step 1: confirm context
- correct chain (Ethereum/Base/Arbitrum, etc.)
- correct wallet account/address
Step 2: open a reputable approval viewer
Warning:
- fake “revoke” sites exist
Decision rule:
- enter via bookmarks or official sources; avoid search ads.
Step 3: for each approval, check two fields
- spender (who can spend)
- allowance/scope (how much / whether “unlimited”)
Step 4: revoke in priority order
Start with:
- unknown spender
- unused dApp
- unlimited allowances
- NFT
setApprovalForAll
Revoking costs gas, so batching audits is efficient.
Step 5: re-approve only what you need
- set allowance close to expected usage
- avoid “unlimited for convenience”
Pitfalls
- fake revoke websites
- missing NFT-wide approvals
- revoking on the wrong chain/account
- assuming “I revoked” means “all risk gone” (other tokens/chains may still have approvals)
Checklist
- [ ] Chain is correct
- [ ] Account/address is correct
- [ ] Entered via bookmark/official source (not ads)
- [ ] Spender is recognized
- [ ] Allowance is not unlimited unless intentional
- [ ] Unused approvals are revoked
- [ ] Unknown approvals are revoked first
- [ ] NFT
setApprovalForAllapprovals are reviewed - [ ] Audit cadence is set (weekly for airdrop farming, monthly otherwise)
- [ ] After new dApp use, revoke is considered part of the workflow
FAQ
Q1. Should I revoke everything?
Not necessarily. Revoke unknown/unused/unlimited. For frequently used trusted apps, you can keep minimal allowances, but unlimited is rarely worth it.
Q2. Why does revoking help if the dApp is legit?
Because exploits happen. Revoking reduces blast radius if a contract or key gets compromised later.
Q3. I revoked but still got drained—how?
Approvals may still exist on another token, chain, or account. Always confirm chain/account and audit broadly.
Internal links
- Parent hub: Web3 safety: start here
- Related:
References
- ERC-20 Approve: https://eips.ethereum.org/EIPS/eip-20
- OpenZeppelin ERC20: https://docs.openzeppelin.com/contracts/
Disclaimer
Not financial advice. General security guidance only.
Popular
- 1Permit2 explained (Web3): why approvals changed and how to use it safely (checklist)
- 2Read wallet signing screens (Web3): a 30-second checklist to avoid permission traps
- 3Spec-to-implementation prompt template (AI development): how to stop the model from guessing
- 4Revoke token approvals on EVM: how to audit allowances safely (checklist)
- 5Clarifying questions checklist (AI development): what to ask before you let an LLM build