How To Revoking Approvals and Revoke.Cash Overview

Granting approvals is a vital aspect of interacting with various DeFi services, as these platforms necessitate permissions to activate the smart contracts that enable actions such as token transfers, trading, lending, borrowing, and other financial operations on behalf of token holders.

Unfortunately, even when permissions are provided to reputable projects, there is still a risk of misuse. A large number of phishing scams in the cryptocurrency space occur when users inadvertently allow scammers to gain access to their digital assets and put their wallet security at risk. This could give hackers the rights to spend your tokens.

Frequently revoking permissions granted to trustworthy platforms significantly reduces the likelihood of asset theft. This practice becomes especially important after phishing incidents where permissions have already been compromised. To learn more about the process of revoking permissions to take back control of your wallet and to explore Revoke Cash, one of the top tools for reclaiming access to your digital assets, keep reading this article.

What Permissions Can Be Granted in the Context of Digital Assets?

As explained above, token approvals, also known as permissions and allowances, enable smart contracts to perform many common types of interactions with cryptocurrencies, including delegation of financial transfers to certain smart contracts. This also facilitates the automation of activities executed according to predefined algorithms, such as pooling or swapping. Certain yield farming strategies may also require permissions for automated fund movements to maximize returns.

In addition to automation, permissions are a part of the token allowance mechanism utilized by many token standards, including ERC-20, which enables users to interact with multiple contracts seamlessly, as transfers of a specific amount of tokens below a predefined limit can be conducted without granting separate approvals.

Evolution and Confusion in Approval Mechanisms

Over time, approval mechanisms have evolved to enhance user experience, reduce costs, and bolster security.

The traditional approve() function defined in the ERC20 token standard, while functional, posed challenges such as gas fees, repeated authorizations, and security concerns, which led to the development of a more effective solution.

EIP-2612 introduced Permit signatures, enabling gasless approvals and improving user experience. Subsequently, these signatures evolved into Permit2, developed by the Uniswap team. In addition to universal gasless approvals, Permit2 supports automatic expiration, streamlining the integration process with various platforms and enhancing security.

However, according to crypto influencers, including Miko Ohtamaa, a co-founder of Trading Protocol, this evolution has led to the development of several incompatible mechanisms. In a thread on phishing attacks, Ohtamaa pointed out that all of these approaches "use a custom signature or approval scheme, which is not user-readable and does not clearly state what assets it is transferring," despite helping users save money on gas fees and facilitating the work of developers and smart contract auditors.

Ohtamaa believes the current security improvements are insufficient while "services like Uniswap and OpenSea mislead users to give infinite approvals and sign anything."

The functionality allowing users to grant allowances for various purposes is also a part of the security mechanism. After all, without permissions, tokens are inaccessible to unauthorized parties by default. However, many applications request unlimited access to tokens, which affects the general vigilance even of experienced crypto users.

Meanwhile, the complexity of the smart contract concept, in general, as opposed to the clear nature of traditional banking transfers, combined with the rapid involvement of technology, creates an educational gap. Coupled with requests for unlimited access, these factors deepen the confusion among cryptocurrency users and create a breeding ground for scammers to capitalize on them.

In the crypto community, the term "revoke" is typically associated with the process of revoking token allowances. In other words, allowances get the status of revoked when you officially cancel the permissions granted to a platform to access your tokens.

In practice, there are several methods to get your allowances revoked, some of which may require varying levels of technical skill. Dedicated platforms like Revoke.Cash are designed to provide users with an easy way to manage their token allowances across different projects, while some platforms like MetaMask offer features allowing users to directly review and revoke their allowances on selected networks, often including Ethereum.

Revoking active approvals is also possible through network explorers such as Etherscan or Polygonscan. Although less user-friendly, this method is based on the same rules as Revoke.Cash and is also a reliable way to avoid the violation of approvals.

How To Revoke Approvals With Etherscan?

In the case of Etherscan, you need to go to the Token Approvals page accessible through the More menu located in the top navigation bar of the interface. There, you enter the address of your wallet and select the type of token you would like to check the approvals for, choosing from ERC20, ERC721, or ERC1155.

This generates a list of tokens with their approvals, where you will also see the Revoke button allowing you to cancel the granted permissions associated with the selected token.

The process of revoking approvals through other network scanners is quite similar.

A more advanced process to get permissions revoked involves sending a new approval transaction, which includes the same token details such as a token address, spender address, and amount. The original approval should have the same nonce, which is a unique identifier for each transaction.

This causes the blockchain to consider your new transaction as an update to the existing transaction.

Why Is It Necessary To Revoke Access to Your Funds?

Now that you understand the meaning of "revoke" in the context of cryptocurrency, let's delve into the importance of revoking approvals in detail.

As mentioned earlier, the primary reason to revoke crypto approvals is to protect your assets.

If you have just fallen victim to a phishing scam and lost your funds, it is essential to revoke approvals immediately. As you will learn from the real-life scenarios described further in the article, becoming scammed multiple times is a very possible scenario, and it is necessary to protect your funds from unauthorized transactions, even if it may seem too late. If you fail to get your approvals revoked, malicious actors will still have the privilege of accessing your assets.

Naturally, if the theft has not yet occurred but you suspect the contract might be compromised, revoking approvals can indeed safeguard your funds.

Unfortunately, while it is rather difficult to identify phishing attempts, cryptocurrency users tend to have even lower vigilance when dealing with legitimate projects. However, even well-audited contracts can still have vulnerabilities that can be abused by hackers or even the project's deployers themselves. For that reason, it is good practice to annul access to your assets whenever it is not required and grant it again if there is such a necessity.

The previous point on having unnecessary approvals revoked in the case when they were granted to legitimate services also emphasizes another advantage of this practice - enhanced control over your funds.

Dynamic changes in permissions based on current financial needs and personal preferences limit excessive control over your assets by third parties.

While this advantage of having approvals revoked may seem less important to many cryptocurrency users who are not particularly concerned about their privacy, this point is critical for those seeking financial anonymity.

By granting approvals, users may expose their token balance and transaction history to the contract that is now allowed to manipulate funds on the owner's behalf. In turn, when you revoke access to your assets, you also limit the visibility of your token holdings.

Real-Life Scenarios

As mentioned earlier, it is imperative to immediately revoke permissions after a theft of assets. Unfortunately, the cryptocurrency community has witnessed multiple situations where victims were unaware of the importance of revoking consent to manipulate funds, leading to further thefts.

One notable incident of a victim losing funds several times because the approvals were not revoked took place in January. According to the team behind the anti-scam solution Scam Sniffer, the victim did not take any steps to withdraw approvals after a significant loss of 1576 ETH worth over $3.504 million at press time, which allowed the drainer to act further and steal another 98 ETH worth more than $343,000 and 158 ETH worth almost $554,000, respectively.

According to ScamSniffer, by signing a phishing approval, the victim lost the first portion of funds, leading to "the liquidation of their collateral by a bot" and a subsequent increase in ETH. ScamSniffer estimated that there still was a 10% risk of theft from the existing balance since the malicious approval was not revoked soon enough.

Despite the multiple warnings sent by cybersecurity experts and on-chain researchers ZachXBT, Samczsun, SunSec, h3idilao, and the teams behind Etherscan and SlowMist, the victim still did not revoke approval for a long time.

"The drainer eventually discovered this situation and transferred 95 ETH that could be transferred," ScamSniffer stated in its report, adding that "This operation also led to subsequent liquidation, resulting in another 158 ETH being stolen once again," which "could have been prevented by timely revocation of approval after being stolen."

According to ScamSniffer, the wallet participating in this crypto theft had already stolen approximately $100 million between April 2023 and January 2024.

A more recent case of a victim who suffered multiple, because the approvals were not revoked, was highlighted by SomaXBT, a Web3 fraud researcher. According to SomaXBT, it was already the second time the NFT holder lost the same BAYC, alleging the phishing toolkit Pink Drainer of this theft. When the collectible was stolen for the first time, the loot also included two other ape NFTs.

SomaXBT explained that the victim was able to recover their NFT as the fraud researcher found it on the OpenSea marketplace unflagged, purchased it through the service, and returned it to the owner.

Revoke Access to Your Crypto With the Revoke.Cash Browser Extension

As mentioned earlier, some platforms, such as MetaMask, support direct approval revoking. However, the platform offers particularly extensive coverage for numerous networks. According to the official website of Revoke Cash, it can assist in approval management on over sixty networks. At the time of publication, the extensive list of supported networks included not only such popular mainnets as Ethereum, Polygon, Arbitrum, Avalanche, Base, Optimism, Fantom, and Blast but also numerous testnets including Scroll Sepolia, Horizon Gobi, Berachain, Celo Alfajores, and many others.

This functionality is provided by Revoke.Cash Token Approval Checker. However, this is not the only Revoke Cash product that can help cryptocurrency users take back control by revoking active approvals.

The Revoke.Cash browser extension, another application offered by the Revoke team, "helps you prevent signing malicious approvals" as it "pops up whenever you are about to sign an approval and will inform you of the approval details."

Furthermore, the extension aims to protect its users from a scam that deceives owners of NFTs into signing gasless signatures provided on phishing websites, which in turn facilitates the theft of digital collectibles.

The Revoke team claims its browser extension "works with every EVM-based network including Ethereum, Polygon, and Avalanche" while the tool does not disrupt interactions with the official websites of popular platforms such as OpenSea, Blur, LooksRare, X2Y2, and Uniswap.

On top of that, Revoke Cash makes it possible for its users to check whether their wallets are affected by exploits with the Exploit Checker feature available on the Approval Hacks and Exploits page.

Here, users can find a list containing dozens of incidents dating back to June 18, 2020, when the Bancor whitehat hack took place. Back then, the cybersecurity team 1inch discovered a vulnerability in the Bancor decentralized financial system. Although the 1inch specialists managed to rescue $400,000, nearly $135,000 were taken by automated front-running bots.

At press time, the most recent event on the list was the Seneca hack, which happened on February 28. Fortunately for its users, 80% of the $6.4 million stolen amount was returned to the protocol by the hacker in exchange for a bug bounty reward.

For all of the incidents on Revoke's list, users can check whether their addresses were affected. For more convenience, the app also lists all networks affected by a certain hack, while the exploit checker can assess addresses across all of these chains.

Is Revoke Cash Legit?

Revoke.Cash is one of the most popular solutions utilized by cryptocurrency users for approval management and is commonly recommended by cybersecurity teams. The project was founded in 2019 by software engineer Rosco Kalis. According to the tech-focused media blog Tokenizedhq, the source code of the platform is public, and the solution is currently considered "a standard approach for revoking approvals."

Surprisingly, Scamadviser, a tool designed to identify fraudulent websites, gave Revoke.Cash a rather low score, only seventeen out of one hundred points. Scamadviser also cites the score Revoke Cash gained from the Grindisoft anti-malware tool, which reportedly "flagged the website as potentially malicious."

Scamadviser recommends staying vigilant while interacting with the Revoke.Cash website as "it has a strong indicator of being a scam."

However, Scamadviser also warns that despite receiving a low score during the scam assessment, which is based on "forty different elements like who owns the website, are the contact details hidden, where is the website hosted, what is the technology being used, and much more," the website may still be safe to use.

Indeed, the summary of the negative highlights revealed by Scamadviser includes two major points. Firstly, the scam-detecting tool has noticed that the identity of Revoke Cash's owner is hidden through a paid service. Secondly, Scamadviser also adds additional risk points to Revoke.Cash merely based on the fact that the website is associated with cryptocurrency services, which themselves "can be high risk."

At the same time, Scamadviser provides a long list of positive highlights about Revoke Cash, including its safety confirmed by such platforms as DNSFilter, Flashsatrt, Multiverse, and Trend Micro. In addition, Scamadviser emphasizes that the SSL certificate of the website is valid, the service is receiving a lot of traffic, and it also has a long presence online.

How To Use Revoke Cash To Take Back Control of Your Wallet

Firstly, you need to connect your wallet by clicking on the "Connect Wallet" button located at the top right corner of the interface. Alternatively, you can manually enter your wallet address in the provided search bar.

Once the wallet is connected, you gain access to a suite of tools assisting approval management. The Revoke.Cash website recommends starting with inspecting current approvals. For your convenience, you can narrow your search by selecting the networks you need and using a range of sorting options, for instance, to order the approvals from the newest updates to the oldest updates. You can also apply filters to facilitate the search. "Approved Amount: Unlimited" is one of the options you can choose.

The Revoke Cash interface will show you the asset that can be accessed due to the active approval, its type, the approved amount, the authorized spender, as well as the date of the last update.

Finally, when you identify approvals that are no longer necessary or relevant, you can easily revoke them by pressing the "Revoke" button located next to each of the assets on the list.

How Much Does It Cost To Use Revoke.Cash?

Revoke Cash is a completely free service. However, revoking an approval itself requires a gas fee as it is handled as a blockchain transaction. It is not possible to name a specific price as gas fees fluctuate depending on various factors.

If you search for Revoke.Cash alternatives, you are likely to come across numerous tools. However, although they are mostly related to Web3 security, their functionality differs significantly from what Revoke Cash offers to its users.

As mentioned earlier in this article, the most common alternative to Revoke.Cash is the use of network scanning tools like Etherscan or Polygonscan. Similar features are also provided by some wallet applications, for example, MetaMask.

What To Keep in Mind While Revoking Approvals

Although revoking approvals, particularly through a dedicated app like Revoke Cash, appears pretty straightforward, there are several points that may be quite confusing.

For instance, you should note that revoking multiple approvals at the same time is technically not possible as each approval requires a single transaction to be revoked.

Another point to keep in mind while revoking approvals is that technically this action is based on the same function which is responsible for both approving and revoking approvals, but in the latter case, the approval is set to 0 for ERC20 tokens and "false" for NFTs.

Furthermore, many users are worried about revoking approvals when their tokens are deposited or staked. According to the team behind Revoke Cash, revoking approvals will not affect your coins in any way.

"These tokens will stay deposited and you will still be able to withdraw them," Revoke.Cash explains. Yet, for adding more tokens to your deposit, a new approval will be required.

Pay attention to the fact that Revoke.Cash as well as its alternatives are used only as a preventative measure that can help you avoid malicious or compromised contracts accessing your assets. Unfortunately, once the funds are lost due to the abuse of approvals, Revoke Cash cannot support you with their recovery.

Such tools will also not help you if you notice that assets in your wallet are getting stolen as soon as you deposit them even though you have revoked your approvals. Revoke.Cash explains that such exploits are caused by sweeper bots affecting your account, which often happens when the seed phrase is compromised. At press time, the only way to save your funds in such a case was by abandoning the compromised account and creating a new one.

Token Approval Best Practices

Revoking permissions is undeniably one of the best practices for token approvals. As previously stated, whether you have become a victim of theft or you are suspecting malicious activity, it is necessary to revoke your approvals as soon as possible.

Proper wallet hygiene, which means revoking approvals whenever they are not needed even in the case of legitimate projects that have not been compromised, is also a sensible approach.

Keep in mind that wallet disconnection is not enough. As Revoke Cash explains, "Disconnecting your wallet (e.g., MetaMask) does not do anything to protect you from approval exploits - or most other exploits," as the only thing that you will achieve in this way is not letting the website see your wallet, whereas the approvals will still be active.

To protect your funds from theft, it is paramount to exercise vigilance while granting approvals. Remember that malicious actors will not get access to your tokens if you yourself do not grant them access. For that reason, it is highly recommended to do thorough research before granting approvals, particularly in the case of new and less-known projects.

As earlier noted, many reputable services request unlimited approvals by default, which makes cryptocurrency users quite accustomed to such requirements. Subsequently, they are more likely to grant unlimited approvals in situations when this is unnecessary and even dangerous.

Assessing the real need for approvals in each situation will add extra protection to your funds.

Hardware wallets are commonly regarded as a much safer alternative to browser-based or mobile wallets as they provide secure storage of keys within a separate device. If the owner of this device does not expose the keys themselves, attackers will have to get proper access to the device to steal the keys.

Yet, the vulnerability stemming from token approvals exists on a different level. If approvals are granted, there is no need to steal keys in the first place. For that reason, revoking approvals is a crucial practice even for those who rely on hardware wallets.

As discussed earlier in this article, a staked and deposited token will not be affected by revoking approvals; however, it is not like that in all scenarios. Some use cases require approvals, for example, revoking approvals on OpenSea may deactivate your listings.

Bottom Line

Revoking permissions, particularly after phishing attacks or suspicious activities, significantly reduces the likelihood of asset theft and enhances overall security. It also allows for greater control over one's funds and ensures dynamic management of permissions based on individual preferences and needs.

Tools like Revoke Cash provide valuable assistance in managing privileges for manipulating tokens, offering users a user-friendly interface and comprehensive coverage for various blockchain networks. Despite some concerns raised by scam detection tools, the reputation and popularity of Revoke Cash within the cryptocurrency community speak to its legitimacy and effectiveness in enhancing security practices.

Frequently Asked Questions

What are token approvals in the context of DeFi, and why are they necessary?

Token approvals, also known as permissions or allowances, are authorizations that allow smart contracts to interact with a user's tokens on a blockchain. In decentralized finance (DeFi), these approvals enable platforms to perform essential activities such as token transfers, trading, lending, and other financial operations. Without granting permissions, smart contracts cannot access or move tokens, limiting their functionality. Approvals facilitate seamless user interactions and automate complex financial tasks within DeFi ecosystems.

Why should I revoke token approvals, and how does it enhance security?

Revoking token approvals is a crucial practice for protecting your digital assets from potential misuse. Even after permissions are granted to reputable platforms, vulnerabilities or phishing scams may still compromise your tokens. By revoking unnecessary approvals, you reduce the risk of malicious actors exploiting these permissions to steal your assets. This is especially important if you suspect a contract might be compromised or after falling victim to a phishing scam, as timely revocation can prevent further unauthorized access.

What is Revoke.Cash, and how does it help manage token approvals?

Revoke.Cash is a popular tool for managing token approvals across various blockchain networks. It allows users to view active token permissions and easily revoke them, providing a user-friendly interface that simplifies the process. By using Revoke.Cash, you can quickly identify approvals that are no longer needed and reduce the risk of asset theft. The platform also supports a wide range of networks, offering extensive coverage for DeFi users to enhance their security practices.