Home / Wallet security / Token approvals

Token approvals, explained — how to check and revoke a risky allowance before an old signature drains your wallet

If you have used a DEX, staked in DeFi, or listed an NFT, your wallet has already approved dozens of contracts. You have forgotten most of them, but they are still live — and until you revoke, each one can, in principle, move that token out of your wallet at any time. A stale approval is one of the most common ways wallets get drained. This piece explains what an approval actually grants, how to check and revoke them, and the Approve-vs-Permit difference that catches people out. There is a printable checklist at the end.

Published 2026-07-10 Updated: 2026-07-10 ~2,400 words · 11-min read Includes a self-audit checklist
SECURITY · APPROVE / REVOKE Your wallet 0xA1b2…9F3d allowance: ∞ allowance Contract / dApp spender One Approve = handing a contract the right to move a token for you vxccex.com · ChainStudy Editorial
An approval hands the right to spend some amount of one token to a contract address (the spender). How much, and to whom, is exactly how much risk you carry.
An approval is not a transfer. A transfer moves a token out of your address; an approval lets a contract move a token out of your address later, up to a set allowance, until you revoke it. The three things an approval records — which token, which spender, how large an allowance — are the whole risk. The allowance is the part that drains wallets.

⚠ Educational content only — not financial / investment / legal / security advice. On-chain operations are irreversible; a bad approval can drain 100% of a token balance. Full disclosure → disclaimer.

You swap on a DEX, you stake in DeFi, you list an NFT — and every single time, the wallet first pops an approval request. You confirm it, and only then does the transaction go through. The action is so routine that most people never stop to ask what it actually did. Yet a large share of the funds drained on-chain leave through one overlooked, still-live approval. This piece keeps it concrete: what an approval grants, and how to clean up after yourself.

What a token approval actually grants

First, separate two things. A transfer is you moving a token out of your own address. An approval is you letting someone else — a contract — move a token out of your address in the future. Why is that needed at all? Because when a dApp like Uniswap or OKX Wallet swaps for you, a contract acts on your behalf to move your tokens, and before a contract can touch your funds it needs your permission. That permission is the Approve.

An approval records three things: which token (say USDT), which spender (a contract address), and how large an allowance (the maximum that contract can move). Hold on to that last one — the allowance is the risk core of this whole article. An approval is not permission for "this one time." It is a standing ceiling that stays valid until you revoke it. A contract you approve today can still move your token next year on the strength of the same approval.

Why unlimited approval is the biggest trap

In theory you could approve only "enough for this one swap" — approve 100 to trade 100 USDT. In practice, the vast majority of dApps default to asking you to sign an unlimited approval, where the allowance is an astronomical number that amounts to no cap at all.

Why? Because it is convenient for both sides: approve once for an unlimited amount and later interactions never have to pop another approval or pay that gas again — the UX is smooth. The price of that convenience is a maxed-out exposure: as long as the unlimited approval stands, that contract can, in principle, move your entire balance of that token at any time. It behaves most of the time only because it is a legitimate project. But if that contract has a bug and gets exploited, or turns out to be a carefully packaged malicious contract, the unlimited approval you signed is a master key handed to the attacker. Nothing happens the moment you sign — the risk detonates later. That delay is exactly what makes it insidious.

How an approval becomes a theft

Understand the mechanism and you know what to defend against. Approval-based theft usually happens one of three ways:

  • Phishing that fishes for an approval. A fake airdrop-claim page, a fake mint page, a fake support link steers you to an interface that asks you to "connect wallet" and then "confirm." You think you are claiming a reward or approving a normal action; what you actually sign is an approval that grants an attacker's address an allowance on one of your tokens. Often nothing happens right away — a while later your tokens quietly leave.
  • A legitimate contract gets exploited. A real dApp contract you approved long ago develops a vulnerability and gets hacked, and the attacker uses the user approvals still sitting on it to drain everyone's tokens in bulk. You did nothing wrong; you just never revoked that old approval.
  • Draining in slices. Plenty of attacks do not empty you in one move — they use the approval to move funds slowly, so you do not immediately notice. As long as you have not revoked, the attacker can come back for another slice at any time. That is exactly why the first thing to do on spotting trouble is to revoke.

See the pattern? The risk is not in the act of approving. It is in how large an allowance you gave, to whom, and how long you left it standing. Your defense follows those same three points. To also see the phishing playbooks that steer you onto an approval page in the first place, read our wallet phishing defense guide.

How to see what your wallet has approved

Step one is always "see clearly what you have currently approved." Three common routes, take your pick:

  1. revoke.cash. Connect your wallet (or just enter your address for a read-only lookup) and it lists every active approval across multiple chains: which token, which contract, how large the allowance. It is the most direct approval-overview tool.
  2. A block explorer's Token Approvals page. Etherscan, and the explorer for each chain, has a "Token Approvals" feature — enter an address and check that chain's approvals. Good for digging into a single chain in detail.
  3. Your wallet's built-in approval manager. OKX Wallet and other major wallets now ship an approval / allowance manager, so you can view and revoke without leaving for an external site — the least fiddly option for beginners.

When you look, scan for two categories in particular: unlimited approvals, and old dApps you no longer use. Those two are your priority cleanup targets.

How to revoke an approval

Revoking is simple at its core: send another transaction that sets a contract's allowance back to zero. In any of the tools above, find the approval you want gone, click "Revoke," and the wallet pops a transaction to confirm; you pay a bit of gas, it lands on-chain, and the approval is dead.

A few points: revoking costs a little gas (a few cents on cheap chains, more on Ethereum mainnet when it is congested), so batch your cleanup during quiet hours; revoking only works on an on-chain Approve (the next section covers the exception); and — always confirm the tool's official URL. Scammers build pixel-identical fake "revoke" pages, and the moment you connect and confirm, you sign a malicious approval to them instead. Type the URL yourself or use a bookmark; never click a search ad or a random link.

Approve vs Permit: one on-chain, one off-chain

This section is the blind spot that trips a lot of people up. Beyond the ordinary on-chain Approve, there is a second way to grant an allowance called Permit (for example Ethereum's EIP-2612). It is an off-chain signature — you sign, nothing goes on-chain and no gas is paid, and the other party submits your signature on-chain only when they need to use your allowance.

The difference is dangerous. A normal Approve is recorded on-chain, so you can find it and send another transaction to revoke it. But once a Permit signature is handed over, the ordinary approval list often cannot see it and cannot block it, and the attacker can use it at any time. So for a malicious Permit you have already signed, the "go to revoke.cash and revoke" move is basically useless — the only safe option is to immediately move all the affected tokens to a new address. That is why any request that boils down to "just sign, no gas needed" deserves extra suspicion: a signature that costs nothing can be more dangerous than an approval that costs gas.

Approval self-audit checklist (printable)

Spend ten minutes on this once a month:

  • [ ] Use revoke.cash or your wallet's built-in tool to scan active approvals across every chain
  • [ ] Revoke every approval for a dApp you no longer use
  • [ ] For ones you still use but that hold an unlimited allowance, switch to a limited amount or revoke-when-done
  • [ ] Keep large holdings in a cold wallet that almost never approves anything or connects to dApps
  • [ ] Do day-to-day interaction from a hot wallet holding only a small amount you could afford to lose
  • [ ] When a "gas-free signature" request appears, stop and work out whether it is a Permit

One-line rule: approve the minimum amount, clean up regularly, and split wallets to isolate risk. When in doubt, don't sign.


FAQ · the five questions people ask

Does revoking an approval cost money?

Yes, a small amount of gas. Revoking is just another on-chain transaction that sets a contract allowance back to zero, so it costs gas like any transfer. How much depends on the chain and congestion: a few cents on cheap L2s, more on Ethereum mainnet when it is busy. To save, batch your revokes during quiet hours or use a multi-chain approval manager. Against the risk of getting drained, that gas is money well spent.

Is it safe to revoke approvals with a block explorer or revoke.cash?

Yes, if you use the genuine site — but check the URL every time. revoke.cash, the Etherscan Token Approvals page, and the approval manager built into OKX Wallet are all standard tools; they only help you send the standard set-allowance-to-zero transaction and never touch your private key. The risk is not the tool, it is the fake: scammers clone the revoke page, and once you connect and confirm you sign a malicious approval instead. Always type the URL yourself or use a bookmark, and never click a search ad or a random link.

Why do dApps keep asking for unlimited approval?

Because it is convenient for both sides: approve once for an unlimited amount and you never have to approve, or pay that gas, again on later trades. Many dApps pre-fill the unlimited amount by default. The price of that convenience is exposure: as long as the approval stands, the contract can in principle move any amount of that token from your wallet, and if the contract has a bug or is outright malicious, all of that token is at risk. The safer habit is to set a limited amount that covers just this transaction, or to revoke when you are done.

If I revoke, can I get back funds that were already stolen?

Revoking stops the bleeding, it does not reverse the theft. It prevents the attacker from using that approval to move the rest of your funds, but assets already sent out are gone because on-chain transactions are irreversible. So the first thing to do when you spot something wrong is: revoke every suspicious approval immediately, then move whatever is left to a brand-new address that is not derived from the same seed. Screenshot the suspicious transactions, the counterparty address, and the timestamps on a block explorer for your records.

What is the difference between Approve and a Permit signature, and does revoking work on both?

Approve is an on-chain transaction; the allowance is recorded on-chain, so you can see it and send another transaction to revoke it. Permit, such as EIP-2612, is an off-chain signature: you sign, nothing goes on-chain and no gas is paid, and the other party submits it on-chain only when they use it. The difference matters — a normal revoke cancels an on-chain Approve, but a Permit signature you already handed over often does not show up in the approval list and cannot be blocked there; the only safe move is to transfer the affected tokens away immediately. That is why any request to just sign with no gas needed deserves extra suspicion.

Sources cited

  1. ERC-20 approve/allowance standard · eips.ethereum.org/EIPS/eip-20
  2. EIP-2612 Permit standard · eips.ethereum.org/EIPS/eip-2612
  3. revoke.cash open-source code and docs · github.com/RevokeCash/revoke.cash
  4. SlowMist security incident archive · slowmist.com
  5. Etherscan Token Approvals checker · etherscan.io/tokenapprovalchecker