The Ankr exploit of December 2022 and its detailed forensic analysis published in January 2023 serve as a stark reminder that your security in DeFi is only as strong as your least-secured token approval. With Bitcoin at $17,091 and Ethereum at $1,287 as January 2023 begins, the post-FTX environment demands a more sophisticated approach to managing smart contract permissions. This advanced tutorial walks experienced users through the process of auditing, monitoring, and revoking token approvals across multiple chains — a critical security practice that most DeFi users neglect until it is too late.
The Objective
By the end of this tutorial, you will have a complete inventory of every token approval you have granted across all major chains, understand the risk profile of each approval, and have a systematic process for maintaining minimal approval exposure going forward. This is not a theoretical exercise — the Ankr exploit demonstrated how compromised smart contracts can drain user funds through pre-existing approvals. Users who had granted unlimited approvals to Ankr contracts lost everything when those contracts were exploited. Regular approval auditing is the defense against this attack vector.
The objective is to achieve what security professionals call minimum viable permissions — granting only the approvals necessary for your current DeFi activities and revoking everything else. This principle, borrowed from enterprise security, dramatically reduces your attack surface without preventing you from participating in DeFi protocols.
Prerequisites
This tutorial assumes you are an experienced DeFi user comfortable with block explorers, wallet management, and basic smart contract concepts. You will need access to your non-custodial wallet (MetaMask, Trust Wallet, or similar), a web browser, and familiarity with at least two block explorers (Etherscan for Ethereum, BscScan for BSC, or Polygonscan for Polygon). You should understand the difference between ERC-20 approve functions and ERC-721/ERC-1155 setApprovalForAll functions, as these create different risk profiles.
You will also need access to approval management tools. Revoke.cash is the most comprehensive free tool, supporting Ethereum, BSC, Polygon, Avalanche, Arbitrum, Optimism, and several other chains. Etherscan’s built-in token approval checker provides similar functionality for Ethereum specifically. For programmatic monitoring, you will need basic familiarity with Etherscan’s API or The Graph protocol. A hardware wallet is strongly recommended for signing revocation transactions, as the revocation process itself involves interacting with smart contracts.
Step-by-Step Walkthrough
Step 1: Inventory your approvals across all chains. Begin by connecting your wallet to Revoke.cash and selecting each network where you have been active. The tool will display every token approval associated with your address, including the token contract, the spender contract, and the approval amount. Pay particular attention to unlimited approvals, which are displayed as very large numbers or infinity symbols. Record these in a spreadsheet or security journal for ongoing reference.
Step 2: Classify each approval by risk level. High-risk approvals include unlimited approvals to contracts you no longer use, approvals to contracts that have not been audited by reputable firms, and approvals on chains where you are not currently active. Medium-risk approvals include limited-amount approvals to active protocols and approvals to recently audited contracts. Low-risk approvals include approvals to well-established protocols like Uniswap or Aave where you are actively providing liquidity or borrowing.
Step 3: Revoke all high-risk approvals immediately. On Revoke.cash, click the revoke button next to each high-risk approval. Your wallet will prompt you to sign a transaction — this is a standard ERC-20 approve transaction setting the allowance to zero. Verify the gas fee before confirming. For users with many approvals, consider batching revocations during periods of low gas prices. On Ethereum, gas fees below 20 gwei make revocation cost-effective. On L2 networks like Arbitrum and Optimism, gas costs are negligible.
Step 4: Replace unlimited approvals with exact-amount approvals. For protocols you still use actively, revoke the unlimited approval and re-approve only the exact amount needed for your next transaction. Many DeFi interfaces now offer this option in their settings. Uniswap, for example, allows you to choose between unlimited approval and exact approval in the swap confirmation screen. Always choose exact approval unless you are making frequent trades on the same pair, where the gas savings of unlimited approval justify the additional risk.
Step 5: Set up ongoing monitoring. Create a recurring calendar reminder to audit your approvals at least monthly. For high-value accounts, consider using Etherscan’s API to build a simple monitoring script that alerts you when new approvals are created. The API endpoint for checking token allowances is straightforward and well-documented. Alternatively, several paid services offer real-time approval monitoring with alert capabilities.
Step 6: Document your approval policy. Create a written policy for how you manage token approvals going forward. This should include rules such as never granting unlimited approvals to unaudited contracts, revoking approvals within 24 hours of completing a DeFi transaction, and conducting monthly approval audits. Having a formalized policy transforms approval management from an ad-hoc activity into a consistent security practice.
Troubleshooting
If a revocation transaction fails, the most common cause is insufficient gas. Revocation transactions require gas just like any other transaction. Ensure you have enough native tokens (ETH, BNB, MATIC) in your wallet to cover gas fees. If you are trying to revoke an approval on a chain where you have no native tokens, you will need to bridge or transfer a small amount first.
Some older token contracts use non-standard approval implementations that do not work correctly with Revoke.cash. In these cases, you will need to interact with the token contract directly through the block explorer. Navigate to the token contract on Etherscan, find the approve function in the contract’s write tab, enter the spender address and a value of zero, and execute the transaction. This manual approach works for any ERC-20 token but requires more technical comfort.
If you encounter approvals to contracts that you do not recognize and cannot identify through the contract address alone, use Etherscan’s contract reader to check if the contract has been verified. Verified contracts display their source code and a readable name. Unverified contracts should be treated as high-risk and their approvals revoked immediately. You can also search the contract address on DeFi safety databases like DeFiLlama to check if the protocol has been flagged for any security issues.
Mastering the Skill
Advanced approval management extends beyond simple revocation. Consider implementing approval strategies tailored to your DeFi activity level. Active traders who make multiple transactions daily might maintain unlimited approvals to their three most-used protocols while revoking everything else. Long-term holders who interact with DeFi infrequently should adopt a policy of granting approvals only when needed and revoking them immediately after each transaction.
For truly sophisticated security, explore permit2 signatures used by protocols like Uniswap X. These allow protocols to request token transfers through off-chain signatures rather than on-chain approvals, eliminating the persistent approval risk entirely. As this pattern gains adoption across DeFi, understanding permit2 will become essential for advanced users who want to minimize their approval footprint while maintaining full DeFi functionality.
The goal is not to eliminate all DeFi interaction — it is to ensure that every approval you grant is intentional, understood, and actively managed. The few minutes spent auditing your approvals can prevent the catastrophic losses that result from exploited smart contract permissions. In a post-Ankr, post-FTX world, approval auditing is not paranoia — it is due diligence.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions.
unlimited token approvals are a ticking time bomb. the Ankr users who got drained had no idea they approved unlimited spending
unlimited approvals made sense when gas was $50 per tx. now theres zero excuse. approve exact amounts or dont interact
the Ankr exploit proved that unlimited approvals are basically a standing invitation for trouble. I check revoke.cash every Sunday now, religiously
been using revoke.cash weekly since the FTX collapse. should be part of every DeFi users routine honestly
Filip Oberg weekly checks are good but the real move is setting calendar reminders after every new protocol interaction. approve then schedule the revoke
BTC at 17k and ETH at 1.2k post-FTX and people still werent auditing their approvals. the Ankr wake-up call was overdue
the article mentions multi-chain approval inventory and thats the key point most people miss. you approve on ethereum, forget, then the same contract sits live on Arbitrum and Optimism too
cold_approve exactly. i revoked my approvals on ethereum last month and totally forgot about the same contracts on arbitrum. same vulnerability, different chain
solflip_ same contracts on arbitrum, optimism and base. you revoke on ETH and forget the L2s where the same approval is still active. multi-chain inventory is a nightmare
unlimited approvals made sense at 50 dollar gas. at sub-dollar L2 fees there is zero reason to approve more than the exact amount