An ERC-20 token approval is a permission you sign that lets a smart contract spend tokens from your wallet, and revoking those approvals is a routine security task, not a one-time event. Dormant or 'infinite' approvals are a leading way wallets get drained months after a user forgets about a contract, so a monthly cleanup is the single highest-leverage habit a self-custody user can build.
Key takeaways
- An 'infinite' ERC-20 approval lets a contract spend every token of that type you own, and every time you hold, until you revoke it.
- Most DeFi drains in 2023 and 2024 exploited old approvals, not new phishing signatures, because the victims had long since forgotten the contract existed.
- Revoke.cash, the Etherscan token-approval tool, and Rabby's built-in approval manager all read the same on-chain data; pick one and use it monthly.
- Revoking does not reverse a past theft. It only stops a contract you previously approved from moving tokens in the future.
- On Ethereum mainnet a single revoke can cost a few dollars in gas; the same call on an L2 like Base or Arbitrum typically costs cents.
What a token approval actually is, and why it outlives the trade
When you swap a token on a decentralized exchange, lend assets on a money market, or stake through a DeFi dashboard, you do not hand your tokens to a person. You sign a message that asks the token's smart contract to let a different smart contract move a specific number of your tokens on your behalf. That signed message is the approval, and it lives on-chain indefinitely until you or someone explicitly cancels it.
This is the part most beginners misunderstand. The approval is not tied to a single trade. It is a standing permission. The DEX or lending protocol you interacted with in 2023 can, in principle, still move tokens out of your wallet today, because the token contract itself recorded that it is allowed to.
There are two flavors you will see in a tool like Etherscan. A 'limited' approval sets a ceiling, for example 100 USDC, after which the contract has to ask you to sign again. An 'infinite' approval (technically the maximum value representable in a uint256, which is a 256-bit unsigned integer, or a number so large it might as well be unlimited) sets no ceiling. Most DeFi front-ends default to infinite because it spares the user an extra signature on every future trade, and because paying gas twice for the same dapp feels wasteful.
The trade-off is real: an infinite approval is convenient for you, and it is also convenient for anyone who later takes control of that contract.
The risk: how a forgotten approval becomes a drain
The failure mode is rarely a clever new hack. It is almost always one of three older patterns, and all of them are made worse by approvals that have been sitting on-chain for months.
1. The contract itself gets compromised. A developer key is phished, a multisig wallet is hijacked, or the protocol suffers a governance attack where attackers pass a proposal that upgrades the contracts to a malicious version. Once the contract is hostile, every still-active approval it holds is a loaded weapon pointed at the user's wallet. The user does not need to interact with anything new. The contract simply calls transferFrom on its own.
2. The protocol is abandoned but the contract is not paused. Many DeFi projects ship, raise money, lose interest, and quietly wind down. The contracts keep running. If a vulnerability is later found and there is no team to patch it, attackers can drain every wallet that ever approved that address. This has happened repeatedly with old staking and yield-aggregator contracts from the 2020 to 2021 cycle.
3. You approved a phishing site that looked like a real dapp. A fake Uniswap or Aave interface signs an approval to a contract the attacker controls. The user thinks they are trading, but they have actually handed a stranger permission to drain a specific token. In this case revoking is urgent, and it is also the only fix, because the signed approval is already on-chain.
Notice what is missing from this list: you do not need to be 're-hacked' for the drain to happen. The vulnerability is the approval itself, sitting in cold storage on the blockchain, waiting for a future event to activate it.
How to see what you have already approved
The first step is inventory. Connect your wallet to one of three tools, all of which read the same underlying blockchain data and present it in slightly different ways.
Revoke.cash is the most beginner-friendly. You land on the site, connect your wallet, and it lists every approval you have signed across the chains it supports, which today includes Ethereum, Arbitrum, Optimism, Base, Polygon, BNB Chain, and most other major EVM (Ethereum Virtual Machine) networks. Each row shows the token, the spender (the contract that can move the token), the allowance (how much it can move), and a 'Revoke' button. It also flags contracts that have not been used in a long time as potentially dormant.
The Etherscan token-approval tool lives at etherscan.io/tokenapprovalchecker. It is rougher around the edges than Revoke.cash but it is run by a team with a long public track record, and it sometimes catches edge cases Revoke.cash misses. The workflow is the same: connect, review, revoke.
Rabby's built-in approval manager is the only on-chain option that does not require visiting a third-party site. Rabby is a wallet (a browser extension and mobile app) that itself reads your approvals and surfaces a 'dangerous approvals' list inside the wallet UI. If you already use Rabby, this is the lowest-friction path. The data is the same data; the interface just lives somewhere you already trust.
Whichever tool you pick, use only one per session. The risk of juggling multiple approval-checker tabs is that you lose track of which site is connected to your wallet, which is itself a mild phishing risk.
How to tell which approvals are actually dangerous
Once you have the list, you do not need to revoke everything. A good first pass prioritizes the riskiest entries.
Infinite approvals come first. Sort or filter the list for any row that shows a huge number, often displayed in scientific notation like 1.15792e+59, which is the encoded form of the maximum uint256. These are the highest-leverage cleanups. Each one is a contract that can move 100 percent of that token from your wallet without asking again.
Limited approvals to contracts you no longer use are next. If you approved a staking contract for exactly 500 tokens two years ago and you no longer use it, that approval is still live. It is a smaller blast radius than an infinite one, but it is still a loaded gun pointed at a contract you do not monitor.
Dormant contracts deserve scrutiny. Most approval tools show a 'last used' timestamp or mark contracts that have not transacted in over a year. These are the approvals most likely to belong to abandoned projects, and abandoned projects are the approvals most likely to be exploited later. Revoke them.
Active contracts you still use can wait. If you actively trade on Uniswap and lend on Aave, you can keep those approvals open. Revoking and re-approving every trade wastes gas and adds signature fatigue, which is its own security risk. The point of a monthly cleanup is not zero approvals; it is zero stale approvals.
The mechanics of revoking, and what it actually costs
Revoking is itself an on-chain transaction. You are calling the approve function on the token contract and setting your allowance for that spender to zero. The token contract records the new allowance, and from that block forward, the spender can no longer move your tokens.
On Ethereum mainnet, a single revoke typically costs somewhere between one and five dollars in gas depending on congestion. If you have twenty stale approvals, that is a non-trivial bill. On layer-2 networks (L2s) like Base, Arbitrum, or Optimism, the same call costs cents, sometimes fractions of a cent, because L2s batch transactions and inherit security from Ethereum while charging much lower fees. If you are choosing where to do your monthly cleanup, doing it on the L2 you actually use is almost always the right call.
There is a small but real footgun. When you submit a revoke transaction, the wallet still has to pay gas, and the gas must come from the native asset of that chain, meaning ETH on Ethereum and Arbitrum, MATIC on Polygon, BNB on BNB Chain. If your wallet only holds stablecoins and the native asset balance is zero, the revoke will fail. Keep a small amount of the native token in any wallet you intend to clean up, on the order of a few dollars' worth.
Another footgun: revoking is irreversible in the sense that you cannot get the gas back, but it is also trivially reversible in the sense that you can re-approve the same contract the next day. There is no penalty for revoking a contract you later decide to use again; you will just have to sign a new approval, pay gas for it, and move on.
What revoking does not do
Revoking prevents future drains from the contract you revoked. It does not, and cannot, undo a drain that already happened. If your wallet was emptied in March and you revoke in May, the tokens from March are gone, and the revoke transaction is unrelated to the theft in any legal, forensic, or recoverable sense.
Revoking also does not protect you from a new approval you sign tomorrow. If you visit a phishing site, sign an approval to a malicious contract, and then try to clean up, the new approval is the problem, and revoking your old Uniswap allowance does nothing to address it.
Revoking does not move your tokens. It does not require a swap, a signature from a third party, or any interaction with the spender contract. It is a single function call to the token contract itself, telling it to zero out one row in its allowance ledger.
A monthly routine you can actually keep
The single biggest reason people never revoke is that it feels like a one-time chore, which guarantees it never gets done. The most reliable fix is to anchor it to a calendar event. The first Sunday of the month is a popular choice because weekends are quiet and you are less likely to be mid-trade; some people pick the day their credit-card statement closes for the same reason. The specific day does not matter. The repetition does.
On cleanup day, the workflow is short. Open Revoke.cash, Etherscan, or your Rabby approval manager. Connect the wallet you actively use. Sort for infinite approvals first and revoke those. Then scan for dormant contracts, which the tool usually marks, and revoke those. Leave the active contracts you still use alone. Confirm each transaction, wait for it to settle, and close the tab.
Time cost on an L2: roughly five to ten minutes. Time cost on mainnet: similar, plus a few dollars in gas. The habit, once installed, takes less time than checking your bank statement and pays for itself the first time it blocks a drain.
How to follow wallet-security news the smart way
Wallet-security incidents move fast, and the difference between a 'manageable hack' and a 'total loss' is almost always how quickly a user hears about a vulnerable contract and revokes their approval before an attacker sweeps it. Tracking every protocol's governance forum, audit reports, and post-mortems by hand is a losing game. Zippfeed surfaces wallet-security and DeFi exploit headlines with sentiment scoring (bullish, neutral, or bearish) and an importance rating, so you can revoke the right approvals before the next drain, not after it.