How to limit unlimited token allowances on tEVM dApps
Combat exploits in allowance depositing. Scan the entire blockchain to find all the dApp allowances associated with your address.
Written by Yknot Blockchain Solutions
Updated at October 24th, 2022
One of the Telos Useful Tools is revoke.telos.net which grants users with the power to revoke or allowances when depositing ERC20 tokens through Telos EVM. This guide will explain ERC20 allowances, dangers and how to manage the security of your account.
Each transaction requires that a smart contract has access to your wallet to spend the tokens you are investing or swapping. The token allowance is the maximum amount the smart contract has permission to spend from your wallet.
Why are ERC20 allowances necessary?
To use ERC20 tokens in DeFi protocols such as Uniswap, Aave or Yearn you have to grant the dApp permission to spend tokens on your behalf - and is known as an ERC20 allowance. These allowances are integral to the functioning of DeFi platforms, but can be dangerous if left unchecked.
The ERC20 standard allows smart contracts to transfer tokens on behalf of users with the transferFrom() function. To do so, the user needs to allow the smart contract to transfer those tokens on their behalf. This way, a user can deposit tokens into a smart contract, and at the same time, the smart contract can update its state to reflect the deposit.
Info
*Please note that Uniswap, Aave & Yearn are not developed or operated by Telos
Why are unlimited ERC20 allowances harmful?
When depositing a specific amount into a contract, you can choose to set an allowance of an exact amount. But instead, many apps request an unlimited allowance from the user. This offers a superior user experience because the user does not need to approve a new allowance every time they want to deposit tokens. By setting up an unlimited allowance, the user just needs to approve it once, and not repeat the process for subsequent deposits.
However, this setup comes with significant drawbacks.
Warning
Bugs can exist and malicious exploiting opportunities arise in established projects. And by giving these platforms an unlimited allowance, you do not only expose your deposited funds to these risks, but also the tokens that you're holding "safely and protecting" in your wallet.
What can users do?
To begin with, since ERC20 allowances are integral to the functioning of many smart contracts, it is not an option to stop approving allowances altogether. But where possible, try to avoid unlimited allowances.
The Telos Core Developers (TCD) are working on a revoke tool that better supports Telos. This tool will enable you to revoke only those permissions which grant direct access to your assets.
Info
*Please note that Metamask is not developed or operated by Telos
In the meantime, follow this method on Metamask:
- Click the kebab menu (three dots) next to your username.
- Select 'connected sites'.
- Click 'disconnect' for each app you wish to revoke permissions.
Keep in mind that unlike a revoke tool, this will revoke all permissions.
Revoke.telos.net
Info
The Telos revoke tool is still in development. We will update this article and all media channels once it is live. You can also visit revoke.telos.net to keep an eye out.
The revoke tool will enable you to combat these risks and exploits when engaging in allowance depositing on tEVM. It will connect to your wallet and scan the entire blockchain for you to find all the dApp allowances associated with your tEVM address.
You will be able to edit the allowance: either adjust it to 0 to cancel it altogether or adjust it to a level you feel comfortable with.
To avoid the prospect of granting a small transaction access to the whole amount, confirm that the permissions are logged to ‘limited’. The change of approval is done by interacting with each ERC20 token contract respectively.
Access the Medium article about revoke.telos.net here.
As Telos expands its services and ecosystem, it is crucial to receive feedback from our users engaging in these transactions when using the new revoke.telos.net feature. Post our comments and feedback on our Dicord channel.
