Discover more from The Rollup

We help you navigate DeFi onchain w/ actionable info & digestible research to give you an edge. Focused on L2s. Scaling to mass adoption one block at a time🙏

Over 2,000 subscribers

Master It Monday: How to avoid scams & account drains by canceling infinite approvals

Using a dope tool approved.zone to make sure you're staying safe

DeFi Slate 📈

Oct 12, 2020

Take one step closer to sovereignty every single week, join the DeFi Slate community below:

DeFi Slate Fam:

There have been more rugpulls and scammy ish going on in the DeFi space than ever before. Really, its quite unfortunate, but its also been easier than ever to avoid the scams.

Taking the necessary security measures and steps using the new apps within the non-custodial world of DeFi eliminate a lot of the security risks that CEXs bring.

Really, it should be more difficult to get hacked than ever.

*Knock on wood*

In this piece, we’ll show you how to make sure you don’t get rekt by infinite approvals, a sometimes scary smart contract function!

Happy Monday, lets send it.

- Andy

📈 Shoutout To Our Partner: MCDEX— trade the first ever decentralized ETH & LINK perp swap contracts on MCDEX.👨🏽‍🌾

🙏Big Ups To Our Great Sponsor Aave: Earn Interest & Leverage Your Assets with Aave, a non-custodial money market protocol leading the #DeFi charge.

ALPHA LEAK: Deposit LINK tokens into Aave to get aLINK, then head over to Yearn to put your aLINK into the yaLINK vault for extra yield. It all starts here with Aave!

Master It Monday: How to avoid scams & account drains by canceling infinite approvals

Unfortunately not many people really understand what infinite approval is, nor how it can really have harsh ramifications if not taken care of & addressed. Frankly, I just learned about it a few weeks ago after using metamask all the time, interacting with more smart contracts than iPhone apps in the last few months.

Seriously, though. It was only until a few weeks ago I realized the power of smart contracts & why they can be revolutionary for the financial system. They are fookin’ trustworthy man. You can place your trust in the audited code.

Spencer Noon @spencernoon
There is no such thing as a 100% safe smart contract Bugs can always be found, even in code that has been looked at thousands of times Because of this most users will only store funds in protocols built by world class developers This is what the “fork out the fees” people miss
1:08 AM ∙ Oct 12, 2020
126Likes15Retweets

This is why we advocate for platforms like Aave, Compound, Synthetix, Yearn, Uniswap…still risky, but they have world class teams & several audits.

However, you have to count on the teams + auditing companies to do their job properly, and there’s human error there. Always room for issues, that’s why we stress this stuff being so new that its very risky.

If you’ve never used smart contracts or MetaMask before, that’s totally cool. But if you have, you certainly know that in order to operate transactions on Uniswap, Aave, etc etc you have to ‘Approve’ the transaction before it goes through.

When you confirm this transaction, you are approving the smart contract behind Uniswap to spend the give amount of ONLY your CHI tokens. In this example, there were like 35 tokens in the wallet so therefore Uniswap can only spend 35 CHI tokens that are in the wallet. No other tokens in the wallet, nor any other amount of CHI tokens if more were to deposited at a later date, for example.

So, then what is infinite approval?

From the CoinMarketCap Glossary (People still use this site? Sheeesh):

“Infinite approval is a smart contract programming practice, often considered to be problematic. This programming feature sees a given smart contract require authorization to access an unlimited number of tokens from the user’s wallet instead of only the number that is actually needed.”

This happened to Bancor in the early days of their DEX, more here:

“An infamous example of a smart contract that was programmed this way is one employed by decentralized exchange Bancor. When a user first used the system, he had to give the smart contract an authorization to withdraw an unlimited number of tokens from his wallet.
Bancor’s smart contracts also contained a vulnerability that could have allowed a hacker to steal all the units of the token that the user authorized the contract to manage by leveraging this vulnerability. Fortunately, Bancor’s programmers noticed before malicious actors could steal the tokens and later modified their systems to only ask for approval for the needed number of tokens. The developers preemptively “stole” user funds to return them later to avoid a hack.”

There a few instances in which you could have approved infinite transactions in the past, one of the most prominent is on 1inch where they have the ‘Infinity Unlock’ as seen below.

Got it. How do I protect myself?

Gotcha. So there’s a really cool website approved.zone where you can see all the approvals you’ve ever given to any smart contract. Whether its a token swap on uniswap, using Aave, or a sketchy yield farming project they are all there.

And here’s where the fun starts.

First, connect your metamask to see all the approvals that you’ve ever approved. And then scroll down and browse all the ones with the ∞ symbol, meaning infinite approval.

So for these two contracts, you can see there is infinite approval for DAI, WBTC, & two UNI-V2 LP tokens. Meaning, if the devs of this contract ever ~wanted to~ they could quickly alter the code and drain all of those tokens from this wallet. Now most smart contracts have timelocks so you’d be able to cancel / move funds before the changes took place, but still, sketchy.

In order to cancel this ability, we have to press ‘Decline for contract’ on the left and remove the full ability to spend. You’ll have to approve the approved zone spending (kinda ironic, eh?) in order to go through with it.

Once you’ve done this, the next step is to refresh the page & make sure that the pair has been removed from the list! Once the transactions approve, you’re good to go.

Gotta stay safe degens!

Hope you enjoyed this one, and I've been doing this myself often recently. There’s no excuse to not stay safe, especially when gas is cheap 👨🏽‍🌾

Liked this post? Share with a friend :)

Subscribe to the DeFi Slate Newsletter & join thousands of other crypto enthusiasts:

🌐Check Us Out On Twitter!

🚀Join the community on Discord to get our freeV.1. yield farming guide!

🎤Subscribe to our YouTube channel!

Check out some previous interviews:

Last week in review: