Granting approvals is a necessary aspect of working with many DeFi services, as they require permissions to enable smart contracts that power interactions such as token transfers, trading, lending, borrowing, and various other fund manipulation activities on behalf of token owners.
Unfortunately, even when granting permissions to legitimate projects, a potential for permission abuse still exists. The majority of phishing scams in the cryptocurrency space are fueled by users unwittingly permitting criminals to utilize their digital funds.
Read also: Wallet Drainer Promising to Bypass Any Transaction Simulation Now Available for Sale
A regular procedure for revoking permissions granted to reputable platforms significantly reduces the probability of asset theft. It is an absolute necessity after phishing attacks when permissions have already been abused. Read this article to learn more details about revoking permissions and Revoke Cash, one of the most popular tools used to revoke access to digital assets.
What permissions can be granted in the context of digital assets?
As explained above, token approvals, also known as permissions and allowances, enable smart contracts to perform many common types of interactions with cryptocurrencies, including delegation of financial transfers to certain smart contracts. This also facilitates the automation of activities executed according to predefined algorithms, such as pooling or swapping. Certain yield farming strategies may also require permissions for automated fund movements to maximize returns.
In addition to automation, permissions are a part of the token allowance mechanism utilized by many token standards, including ERC-20, which enables users to interact with multiple contracts seamlessly, as transfers of a specific amount of tokens below a predefined limit can be conducted without granting separate approvals.
Evolution and confusion in token approval mechanisms
Over time, token approval mechanisms have evolved to enhance user experience, reduce costs, and bolster security.
The traditional approve() function defined in the ERC20 token standard, while functional, posed challenges such as gas fees, repeated authorizations, and security concerns, which led to the development of a more effective solution.
EIP-2612 introduced Permit signatures, enabling gasless approvals and improving user experience. Subsequently, these signatures evolved into Permit2, developed by the Uniswap team. In addition to universal gasless approvals, Permit2 supports automatic expiration, streamlining the integration process with various platforms and enhancing security.
However, according to crypto influencers, including Miko Ohtamaa, a co-founder of Trading Protocol, this evolution has led to the development of several incompatible mechanisms. In a thread on phishing attacks, Ohtamaa pointed out that all of these approaches "use a custom signature or approval scheme, which is not user-readable and does not clearly state what assets it is transferring," despite helping users save money on gas fees and facilitating the work of developers and smart contract auditors.
Ohtamaa believes the current security improvements are insufficient while "services like Uniswap and OpenSea mislead users to give infinite approvals and sign anything."
The functionality allowing users to grant allowances for various purposes is also a part of the security mechanism. After all, without permissions, tokens are inaccessible to unauthorized parties by default. However, many applications request unlimited access to tokens, which affects the general vigilance even of experienced crypto users.
Meanwhile, the complexity of the smart contract concept, in general, as opposed to the clear nature of traditional banking transfers, combined with the rapid involvement of technology, creates an educational gap. Coupled with requests for unlimited access, these factors deepen the confusion among cryptocurrency users and create a breeding ground for scammers to capitalize on them.
What does the word revoke mean in the crypto space?
In the crypto community, the term "revoke" is typically associated with the process of revoking token allowances. In other words, allowances get the status of revoked when you officially cancel the permissions granted to a platform to access your tokens.
In practice, there are several methods to get your allowances revoked, some of which may require varying levels of technical skill. Dedicated platforms like Revoke.cash are designed to provide users with an easy way to manage their token allowances across different projects, while some platforms like MetaMask offer features allowing users to directly review and revoke their allowances on selected networks, often including Ethereum.
Revoking token approvals is also possible through network explorers such as Etherscan or Polygonscan. Although less user-friendly, this method is based on the same rules as Revoke.cash and is also a reliable way to avoid the violation of token approvals.
How to revoke approvals with Etherscan?
In the case of Etherscan, you need to go to the Token Approvals page accessible through the More menu located in the top navigation bar of the interface. There, you enter the address of your wallet and select the type of token you would like to check the approvals for, choosing from ERC20, ERC721, or ERC1155.
This generates a list of tokens with their approvals, where you will also see the Revoke button allowing you to cancel the granted permissions associated with the selected token.
The process of revoking token approvals through other network scanners is quite similar.
Revoking approvals with a new approval transaction
A more advanced process to get permissions revoked involves sending a new approval transaction, which includes the same token details such as a token address, spender address, and amount. The original approval should have the same nonce, which is a unique identifier for each transaction.
This causes the blockchain to consider your new transaction as an update to the existing transaction.
Why is it necessary to revoke access to your funds?
Now that you understand the meaning of "revoke" in the context of cryptocurrency, let's delve into the importance of revoking approvals in detail.
Risk management and enhanced security
As mentioned earlier, the primary reason to revoke crypto approvals is to protect your assets.
If you have just fallen victim to a phishing scam and lost your funds, it is essential to revoke approvals immediately. As you will learn from the real-life scenarios described further in the article, becoming scammed multiple times is a very possible scenario, and it is necessary to protect your funds from unauthorized transactions, even if it may seem too late. If you fail to get your approvals revoked, malicious actors will still have the privilege of accessing your assets.
Naturally, if the theft has not yet occurred but you suspect the contract might be compromised, revoking approvals can indeed safeguard your funds.
Read also: New Honeypot Crypto Contracts Can Pass 70% of Paid Audits
Unfortunately, while it is rather difficult to identify phishing attempts, cryptocurrency users tend to have even lower vigilance when dealing with legitimate projects. However, even well-audited contracts can still have vulnerabilities that can be abused by hackers or even the project’s deployers themselves. For that reason, it is good practice to annul access to your assets whenever it is not required and grant it again if there is such a necessity.
Greater control over your funds
The previous point on having unnecessary approvals revoked in the case when they were granted to legitimate services also emphasizes another advantage of this practice - enhanced control over your funds.
Dynamic changes in permissions based on current financial needs and personal preferences limit excessive control over your assets by third parties.
Increased privacy
While this advantage of having approvals revoked may seem less important to many cryptocurrency users who are not particularly concerned about their privacy, this point is critical for those seeking financial anonymity.
By granting approvals, users may expose their token balance and transaction history to the contract that is now allowed to manipulate funds on the owner’s behalf. In turn, when you revoke access to your assets, you also limit the visibility of your token holdings.
Real-life scenarios: victims of multiple phishing scams
As mentioned earlier, it is imperative to immediately revoke permissions after a theft of assets. Unfortunately, the cryptocurrency community has witnessed multiple situations where victims were unaware of the importance of revoking consent to manipulate funds, leading to further thefts.
One notable incident of a victim losing funds several times because the approvals were not revoked took place in January. According to the team behind the anti-scam solution Scam Sniffer, the victim did not take any steps to withdraw approvals after a significant loss of 1576 ETH worth over $3.504 million at press time, which allowed the drainer to act further and steal another 98 ETH worth more than $343,000 and 158 ETH worth almost $554,000, respectively.
According to ScamSniffer, by signing a phishing approval, the victim lost the first portion of funds, leading to "the liquidation of their collateral by a bot" and a subsequent increase in ETH. ScamSniffer estimated that there still was a 10% risk of theft from the existing balance since the malicious approval was not revoked soon enough.
Despite the multiple warnings sent by cybersecurity experts and on-chain researchers ZachXBT, Samczsun, SunSec, h3idilao, and the teams behind Etherscan and SlowMist, the victim still did not revoke approval for a long time.
"The drainer eventually discovered this situation and transferred 95 ETH that could be transferred," ScamSniffer stated in its report, adding that "This operation also led to subsequent liquidation, resulting in another 158 ETH being stolen once again," which "could have been prevented by timely revocation of approval after being stolen."
According to ScamSniffer, the wallet participating in this crypto theft had already stolen approximately $100 million between April 2023 and January 2024.
A more recent case of a victim who suffered multiple, because the approvals were not revoked, was highlighted by SomaXBT, a Web3 fraud researcher. According to SomaXBT, it was already the second time the NFT holder lost the same BAYC, alleging the phishing toolkit Pink Drainer of this theft. When the collectible was stolen for the first time, the loot also included two other ape NFTs.
SomaXBT explained that the victim was able to recover their NFT as the fraud researcher found it on the OpenSea marketplace unflagged, purchased it through the service, and returned it to the owner.
Revoke access to your crypto with the Revoke Cash extension
As mentioned earlier, some platforms, such as MetaMask, support direct token approval revoking. However, Revoke.cash offers particularly extensive coverage for numerous networks. According to the official website of Revoke Cash, it can assist in token approval management on over sixty networks. At the time of publication, the extensive list of supported networks included not only such popular mainnets as Ethereum, Polygon, Arbitrum, Avalanche, Base, Optimism, Fantom, and Blast but also numerous testnets including Scroll Sepolia, Horizon Gobi, Berachain, Celo Alfajores, and many others.
This functionality is provided by Revoke.cash Token Approval Checker. However, this is not the only Revoke Cash product that can help cryptocurrency users.
The Revoke.cash extension, another application offered by the Revoke team, "helps you prevent signing malicious approvals" as it "pops up whenever you are about to sign an approval and will inform you of the approval details."
Furthermore, the Revoke.cash extension aims to protect its users from a scam that deceives owners of NFTs into signing gasless signatures provided on phishing websites, which in turn facilitates the theft of digital collectibles.
The Revoke team claims its browser extension "works with every EVM-based network including Ethereum, Polygon, and Avalanche" while the tool does not disrupt interactions with the official websites of popular platforms such as OpenSea, Blur, LooksRare, X2Y2, and Uniswap.
On top of that, Revoke Cash makes it possible for its users to check whether their wallets are affected by exploits with the Exploit Checker feature available on the Approval Hacks and Exploits page.
Here, users can find a list containing dozens of incidents dating back to June 18, 2020, when the Bancor whitehat hack took place. Back then, the cybersecurity team 1inch discovered a vulnerability in the Bancor decentralized financial system. Although the 1inch specialists managed to rescue $400,000, nearly $135,000 were taken by automated front-running bots.
At press time, the most recent event on the list was the Seneca hack, which happened on February 28. Fortunately for its users, 80% of the $6.4 million stolen amount was returned to the protocol by the hacker in exchange for a bug bounty reward.
For all of the incidents on Revoke’s list, users can check whether their addresses were affected. For more convenience, Revoke.cash also lists all networks affected by a certain hack, while the exploit checker can assess addresses across all of these chains.
Is Revoke Cash legit?
Revoke.cash is one of the most popular solutions utilized by cryptocurrency users for token approval management and is commonly recommended by cybersecurity teams. The project was founded in 2019 by software engineer Rosco Kalis. According to the tech-focused media blog Tokenizedhq, the source code of the platform is public, and the solution is currently considered "a standard approach for revoking token approvals."
Surprisingly, Scamadviser, a tool designed to identify fraudulent websites, gave Revoke.cash a rather low score, only seventeen out of one hundred points. Scamadviser also cites the score Revoke Cash gained from the Grindisoft anti-malware tool, which reportedly "flagged the website as potentially malicious."
Scamadviser recommends staying vigilant while interacting with the Revoke.cash website as "it has a strong indicator of being a scam."
However, Scamadviser also warns that despite receiving a low score during the scam assessment, which is based on "forty different elements like who owns the website, are the contact details hidden, where is the website hosted, what is the technology being used, and much more," the website may still be safe to use.
Indeed, the summary of the negative highlights revealed by Scamadviser includes two major points. Firstly, the scam-detecting tool has noticed that the identity of Revoke Cash’s owner is hidden through a paid service. Secondly, Scamadviser also adds additional risk points to Revoke.cash merely based on the fact that the website is associated with cryptocurrency services, which themselves "can be high risk."
At the same time, Scamadviser provides a long list of positive highlights about Revoke Cash, including its safety confirmed by such platforms as DNSFilter, Flashsatrt, Multiverse, and Trend Micro. In addition, Scamadviser emphasizes that the SSL certificate of the website is valid, the service is receiving a lot of traffic, and it also has a long presence online.
Is Revoke Cash Safe?
Based on the results of the Scamadviser assessment of Revoke.cash, coupled with the popularity and reputation of this tool, it may be safe to assume that the low score of the platform is mainly the result of its relation to cryptocurrencies, which itself is viewed by Scamadviser as services associated with high risks.
The use of Revoke Cash involves connecting your wallet to this service, as you will learn in the following parts of this article. This integration can expose the funds to certain risks, primarily wallet security, regardless of the reputability of the platform. Although there were no reports of related issues at press time, you should do your own research.
Furthermore, it is also necessary to stay vigilant while using Revoke.cash, as the popularity of Web3 projects often makes them lucrative for phishing scammers to impersonate. Double-check whether you are indeed going to use a legitimate Revoke Cash website or you have come across a malicious service impersonating the popular tool.
How to use Revoke Cash?
Firstly, you need to connect your wallet by clicking on the "Connect Wallet" button located at the top right corner of the interface. Alternatively, you can manually enter your wallet address in the provided search bar.
Once the wallet is connected, you gain access to a suite of tools assisting token approval management. The Revoke.cash website recommends starting with inspecting current approvals. For your convenience, you can narrow your search by selecting the networks you need and using a range of sorting options, for instance, to order the approvals from the newest updates to the oldest updates. You can also apply filters to facilitate the search. "Approved Amount: Unlimited" is one of the options you can choose.
The Revoke Cash interface will show you the asset that can be accessed due to the active approval, its type, the approved amount, the authorized spender, as well as the date of the last update.
Finally, when you identify approvals that are no longer necessary or relevant, you can easily revoke them by pressing the "Revoke" button located next to each of the assets on the list.
How much does It cost to use Revoke.Cash?
Revoke Cash is a completely free service. However, revoking an approval itself requires a gas fee as it is handled as a blockchain transaction. It is not possible to name a specific price as gas fees fluctuate depending on various factors.
Revoke Cash alternative options
If you search for Revoke.cash alternatives, you are likely to come across numerous tools. However, although they are mostly related to Web3 security, their functionality differs significantly from what Revoke Cash offers to its users.
As mentioned earlier in this article, the most common alternative to Revoke.cash is the use of network scanning tools like Etherscan or Polygonscan. Similar features are also provided by some wallet applications, for example, MetaMask.
What to keep in mind while revoking approvals
Although revoking approvals, particularly through a dedicated app like Revoke Cash, appears pretty straightforward, there are several points that may be quite confusing.
For instance, you should note that revoking multiple approvals at the same time is technically not possible as each approval requires a single transaction to be revoked.
Another point to keep in mind while revoking approvals is that technically this action is based on the same function which is responsible for both approving and revoking approvals, but in the latter case, the approval is set to 0 for ERC20 tokens and "false" for NFTs.
Furthermore, many users are worried about revoking approvals when their tokens are deposited or staked. According to the team behind Revoke Cash, revoking approvals will not affect your coins in any way.
"These tokens will stay deposited and you will still be able to withdraw them," Revoke.cash explains. Yet, for adding more tokens to your deposit, a new approval will be required.
Read also: Remote Seizure of Cryptocurrency Assets Sets Precedent in Taiwan's Judicial History
When revoking approvals will not help
Pay attention to the fact that Revoke.cash as well as its alternatives are used only as a preventative measure that can help you avoid malicious or compromised contracts accessing your assets. Unfortunately, once the funds are lost due to the abuse of approvals, Revoke Cash cannot support you with their recovery.
Such tools will also not help you if you notice that assets in your wallet are getting stolen as soon as you deposit them even though you have revoked your approvals. Revoke.cash explains that such exploits are caused by sweeper bots affecting your account, which often happens when the seed phrase is compromised. At press time, the only way to save your funds in such a case was by abandoning the compromised account and creating a new one.
Token approval best practices
Revoking permissions is undeniably one of the best practices for token approvals. As previously stated, whether you have become a victim of theft or you are suspecting malicious activity, it is necessary to revoke your approvals as soon as possible.
Proper wallet hygiene, which means revoking approvals whenever they are not needed even in the case of legitimate projects that have not been compromised, is also a sensible approach.
Keep in mind that wallet disconnection is not enough. As Revoke Cash explains, "Disconnecting your wallet (e.g., MetaMask) does not do anything to protect you from approval exploits - or most other exploits," as the only thing that you will achieve in this way is not letting the website see your wallet, whereas the approvals will still be active.
Watch out for scams
To protect your funds from theft, it is paramount to exercise vigilance while granting approvals. Remember that malicious actors will not get access to your tokens if you yourself do not grant them access. For that reason, it is highly recommended to do thorough research before granting approvals, particularly in the case of new and less-known projects.
Refrain from granting approvals if possible
As earlier noted, many reputable services request unlimited approvals by default, which makes cryptocurrency users quite accustomed to such requirements. Subsequently, they are more likely to grant unlimited approvals in situations when this is unnecessary and even dangerous.
Assessing the real need for approvals in each situation will add extra protection to your funds.
Take extra care of approval management in the case of hardware wallets
Hardware wallets are commonly regarded as a much safer alternative to browser-based or mobile wallets as they provide secure storage of keys within a separate device. If the owner of this device does not expose the keys themselves, attackers will have to get proper access to the device to steal the keys.
Yet, the vulnerability stemming from token approvals exists on a different level. If approvals are granted, there is no need to steal keys in the first place. For that reason, revoking approvals is a crucial practice even for those who rely on hardware wallets.
Know which approvals you are revoking
As discussed earlier in this article, a staked and deposited token will not be affected by revoking approvals; however, it is not like that in all scenarios. Some use cases require approvals, for example, revoking approvals on OpenSea may deactivate your listings.
Bottom line
Revoking permissions, particularly after phishing attacks or suspicious activities, significantly reduces the likelihood of asset theft and enhances overall security. It also allows for greater control over one's funds and ensures dynamic management of permissions based on individual preferences and needs.
Tools like Revoke Cash provide valuable assistance in managing privileges for manipulating tokens, offering users a user-friendly interface and comprehensive coverage for various blockchain networks. Despite some concerns raised by scam detection tools, the reputation and popularity of Revoke Cash within the cryptocurrency community speak to its legitimacy and effectiveness in enhancing security practices.
