Wallet token approvals — most people have no idea they’ve created dozens of them. If you’ve ever connected your crypto wallet to a website to swap tokens, mint an NFT, or try a new DeFi app, you’ve granted wallet token approvals. You probably clicked “Approve” on a pop-up without reading it too carefully.
You’re not alone. Almost everyone does it.
But here’s the thing: some of those approvals are still active right now, and they give those apps permission to move your tokens whenever they want — no additional confirmation needed.
Today, we’re going to look at the five most dangerous types of wallet token approvals, how to check what you’ve already approved, and how to revoke anything that looks risky. It takes about five minutes.
First: What Is a “Token Approval”?
When you use a decentralized app (a “dApp” — basically a website that connects to a blockchain), it often needs permission to move tokens on your behalf. For example, if you want to swap ETH for USDC on Uniswap, Uniswap needs your permission to take the ETH from your wallet.
That permission is called a token approval — or more precisely, a wallet token approval. You grant it by signing a transaction, and it stays active until you explicitly revoke it.
Think of it like giving a valet your car keys. They can move your car whenever they want — not just the one time you handed over the keys.
The 5 Wallet Token Approvals That Should Worry You
1. Unlimited Token Approvals
What it is: When a dApp asks to spend an “unlimited” amount of a specific token. Instead of asking for permission to spend just the 100 USDC you’re swapping right now, it asks for permission to spend all the USDC you’ll ever hold in that wallet.
Why it’s dangerous: If that dApp gets hacked (or was malicious from the start), the attacker can drain every last token of that type from your wallet. Not just what you had when you approved — everything you receive in the future, too.
How common is it: Extremely. Most dApps request unlimited approvals by default because it saves you gas fees (transaction costs) on future interactions. Uniswap, Aave, OpenSea — they all do it.
What to do: When approving, look for a “custom amount” option in your wallet and set it to only what you need for this transaction. Yes, you’ll need to approve again next time. That’s the point.
2. Approvals to Unverified or Sketchy Contracts
What it is: A wallet token approval granted to a smart contract (a program on the blockchain) that you found through a random link, a Discord message, or a too-good-to-be-true airdrop.
Why it’s dangerous: Scammers create fake dApps specifically to collect approvals. Once you approve, they drain your wallet. The dApp might look like a legitimate swap platform or NFT marketplace, but the contract behind it is designed to steal.
Red flags:
- You found it through a DM or unsolicited link
- The site is a slight misspelling of a known platform (“Uniswep” instead of “Uniswap”)
- It asks for approvals before you’ve done anything
- There’s no audit, no documentation, no community
What to do: Only interact with dApps you’ve navigated to directly (not through links in messages). Bookmark the real URLs of platforms you use regularly.
3. NFT Collection-Wide Approvals (“SetApprovalForAll”)
What it is: A single approval that gives a contract permission to transfer any and all NFTs from a specific collection in your wallet. If you list an NFT for sale on OpenSea, you grant this type of approval for that entire collection.
Why it’s dangerous: One approval = access to every NFT in that collection you own. If the marketplace contract is compromised, or if you granted this to a phishing site, they can transfer all of them at once.
What to do: This approval is sometimes necessary for legitimate marketplaces. But check periodically — if you’re no longer using a marketplace, revoke the approval. And never grant SetApprovalForAll to a site you don’t fully trust.
4. Permit/Permit2 Signatures (The “Gasless” Trap)
What it is: A newer approval method where you sign a message (which is free — no gas fee) instead of sending a transaction. Sounds convenient, right? The problem is that many people don’t realize a “signature” can be just as powerful as a transaction.
Why it’s dangerous: Phishing sites love permit signatures because they don’t trigger the same mental alarm bells. You’re not spending gas, so it doesn’t feel like you’re doing anything permanent. But that signature can authorize someone to drain your tokens.
Extra tricky: Permit2, used by Uniswap and others, consolidates approvals into a single contract. If you’ve approved Permit2 for unlimited spending and then sign a malicious permit, the attacker inherits that unlimited access.
What to do: Read what you’re signing. If a site asks you to sign something and you’re not sure what it does, don’t sign it. Legitimate platforms will show you clear, readable information about what you’re approving.
5. Stale Approvals to Abandoned Projects
What it is: Approvals you granted months or years ago to projects that have since shut down, been abandoned, or stopped getting security updates.
Why it’s dangerous: Even if the team behind a project was honest, abandoned smart contracts are a target for hackers. If someone finds a vulnerability in a contract you approved long ago, they can exploit it to drain your tokens — and you won’t even remember granting access.
What to do: Treat approvals like subscriptions. Review them regularly and cancel the ones you’re not using.
How to Check and Revoke Your Wallet Token Approvals (5-Minute Walkthrough)
Here’s the good news: checking and revoking wallet token approvals is straightforward. The best tool for this is Revoke.cash — a free, open-source website that shows you every active approval for your wallet.
Step 1: Go to Revoke.cash
Visit revoke.cash in your browser. (Type it directly — don’t click links from messages.)
Step 2: Connect Your Wallet
Click “Connect Wallet” and select your wallet (MetaMask, Coinbase Wallet, etc.). This is a read-only connection at first — Revoke.cash just needs to see your address to look up your approvals.
Step 3: Review Your Approvals
You’ll see a list of every token approval you’ve ever granted, including:
- Which token you approved
- Which contract has the approval
- How much they’re allowed to spend (often “Unlimited”)
- When you granted it
Sort by “Value at Risk” to see which approvals could cost you the most if exploited.
Step 4: Revoke Anything Suspicious
For each approval you want to remove, click “Revoke.” This sends a small transaction (you’ll pay a small gas fee) that cancels the permission.
Priority revocations:
- Anything with “Unlimited” spending that you don’t actively use
- Approvals to contracts you don’t recognize
- Approvals older than 6 months to projects you no longer use
- Any SetApprovalForAll grants to platforms you don’t actively use
Step 5: Make This a Habit
Set a reminder to check Revoke.cash once a month. It takes five minutes and can save you everything in your wallet.
The Bottom Line on Wallet Token Approvals
Wallet token approvals are one of crypto’s biggest blind spots. You can have a hardware wallet, a strong seed phrase backup, and perfect security hygiene — and still lose everything because you approved the wrong contract two years ago.
The fix is simple: go to Revoke.cash today, review your approvals, and revoke anything you don’t need.
Five minutes. That’s all it takes.
Want a complete checklist for setting up your wallet securely from scratch? Download Wallet Security: Your Complete Setup Guide — a free resource covering seed phrase storage, hardware wallets, and everything in between.
— David