How To Avoid MetaMask Infinite Approval Exploits

When interacting with DApps, the smart contract behind the application often needs to perform transactions that involve transferring tokens from your wallet. However, for security reasons, smart contracts cannot directly access your tokens without explicit permission. When a user approves(via the approve() function) a token request in a DApp, they essentially grants the DApp(spender) permission to access a specified amount of their tokens using the `transferFrom` function, as defined in the ERC-20 standard. This function allows the DApp to transfer tokens from the user's account to another account without requiring the user to approve each individual transaction.

After the approve() function is executed, the owner’s address, the spender’s address, and the approved amount are specified. No tokens are moved at this stage; the approval simply authorizes future transfers up to the allowed limit.

When the spender wants to move tokens, they call the transferFrom() function, which checks that the spender's allowance covers the transfer amount and that the owner has enough tokens in their balance. If these conditions are met, the tokens are transferred from the owner to the recipient, the spender's allowance is reduced by the transferred amount, and the transaction is recorded on the blockchain.

Infinite Approval & Exploits

Infinite token approval or unlimited approval requests allow a DApp to spend an unlimited amount of a user’s tokens without needing repeated permissions. This setup simplifies interactions with DApps, reduces the number of approvals required, and, therefore, saves transaction fees and time.

However, infinite token approval carries significant security risks. If the DApp or smart contract is or becomes compromised, malicious actors could potentially drain all the user’s approved tokens.

How to Stay Safe from Infinite Approval Exploit

To protect your assets from infinite token approval exploits, follow these steps:

1. Review & Revoke Unnecessary Approvals

Revoking token approval is not the same as disconnecting your wallet from a dApp. Disconnecting your wallet involves severing the connection between your wallet and the dApp. While this can prevent the dApp from seeing your public address and token balances, it does not revoke the token approvals. If a dApp has prior token approval, it can still access and move those tokens until the approval is explicitly revoked. That is, the dApp can no longer move those tokens on your behalf.

It is important to consider this approach, most especially for degens who regularly interact with multiple DeFi products. This behavior often leaves them with multiple unneeded and unsafe approvals. Frequently audit the permissions granted to dApps and revoke any that seem suspicious or unnecessary.

Etherscan Token Approval Checker: Visit sites such as, connect your wallet, and revoke permissions for any dApps or tokens you no longer use.

Revoke[dot]cash: This is another tool that helps you manage and revoke token allowances.

2. Double Check Every Infinite Approval

To verify the legitimacy of a dApp, NFT collection, or other blockchain-based service, look up its smart contract address on the relevant block explorer (e.g., Etherscan for Ethereum) and double-check using token listing sites such as coingekco. Every smart contract has a unique address, and any reputable project will make this address readily available to the public.

As explained earlier, certain DApps request infinite token approvals to save time and gas fees. To protect your assets, only approve an infinite amount of tokens for reputable contracts only when necessary. Otherwise, approve only the required amount for a specific transaction or activity and promptly reduce or revoke the approval once the transaction is completed.