Why smart contract approval is dangerous

Rugpull where developers exit-scam or exploits where hackers abuse a bug in the smart contract for their economic benefit is some of the most commonly heard terms in the defi space.

But, did you know that approving a project’s smart contract is as good as giving the password to your safe and allow the project to take funds from your safe whenever they want?

What does smart contract token approval mean?

An example of how smart contract token approval from Metamask

Whenever you interact with a smart contract, it is likely to be around tokens, be it staking tokens on a platform for yields or swapping from token A to token B. For example:

  1. Staking your token for yield farming (such as PancakeSwap)
  2. Swapping from token A to token B (eg. Uniswap)

Let’s take staking your token as an example

You will definitely need to make 2 transactions or more unless you have already approved the token to the contract before.

Transaction 1 — approve the project to spend your token
Transaction 2 — deposit your token to the platform

When you call transaction 2 — the contract basically takes a token from your wallet and transfer to the smart contract. It can only do so because you’ve approved the project.

But if I don’t execute transaction 2, can they still take my token?

Once you’ve approved transaction 1, you basically give the smart contract the access to take the token you’ve approved from your wallet anytime.

What is going on?

Take the most recent example of the StableMagnet Rugpull, users had use the platform previously to perform a swap. And to perform a swap, the user would have made 2 transactions with the first being approving the smart contract.

The first hit on the user is where the stablecoin pool was drained due to a malicious code hidden in the library. The next hit is on the users who have approved the smart contract.

“Ya it’s not like I even deposited into their contract. I literally just approved the contract because I was thinking of putting a small portion in their stable pool. And even then I never ended up actually putting any in at all”

reference to the telegram message

How can this be possible?

This section is technical and if you want to see the solution, please scroll down immediately to What can I do?

Let’s take an example where we want to stake Cake token on PancakeSwap.

Cake and other tokens (USDC, BUSD) are usually ERC-20 standards. When you make the second transaction to deposit the token, PancakeSwap smart contract will call Cake ERC20 transferFrom function to transfer the token from your wallet over to their contract.

The bold line above is where the Cake token contract checks to make sure the approval is given.

function transferFrom(
address sender,
address recipient,
uint256 amount) public virtual override returns (bool) {

_transfer(sender, recipient, amount);
uint256 currentAllowance = _allowances[sender][_msgSender()];
require(currentAllowance >= amount,
"ERC20: transfer amount exceeds allowance");

unchecked {
_approve(sender, _msgSender(), currentAllowance - amount);
}

return true;
}

What can I do?

If you no longer use the project, please revoke the approval — it is generally a safe thing to do. You can re-approve the contract in the future again.

You can visit https://approval-tracker.xyz/ to do so. (currently supporting BSC, Fantom, Polygon, and One).

simply curious about new technology on the block