September 2024 saw over $120 million drained from cryptocurrency platforms across more than 20 hacking incidents, as reported by blockchain security firm PeckShield. Beyond the headline-grabbing exchange breaches at BingX ($44 million) and Indodax ($22 million), a quieter but equally devastating category of attack claimed millions from individual wallet holders: malicious smart contract approvals. One phishing attack alone resulted in the theft of $32.4 million worth of spWETH through a fraudulent Permit signature. With Bitcoin at $60,837 and Ethereum at $2,449, understanding how to audit and revoke smart contract approvals is not optional — it is an essential skill for any serious DeFi user.
The Objective
This tutorial guides advanced users through a comprehensive smart contract approval audit. You will learn how to identify every token approval you have granted across multiple chains, assess the risk level of each approval, revoke dangerous ones, and establish a monitoring system to catch new approvals before they become liabilities. By the end, your wallet will have a dramatically reduced attack surface.
Prerequisites
Before starting, ensure you have the following: a web browser with your wallet extension installed (MetaMask, Rabby, or similar), access to the block explorers for every chain you use (Etherscan, Arbiscan, BscScan, etc.), and approximately 30-60 minutes of focused time. You should also have a small amount of native tokens on each chain for gas fees associated with revocation transactions. Familiarity with ERC-20 token standards and basic DeFi mechanics is assumed.
Step-by-Step Walkthrough
Step 1: Inventory your active chains. Open your wallet and list every blockchain network you have connected to DeFi protocols. Common chains include Ethereum mainnet, Arbitrum, Optimism, Base, Polygon, BNB Chain, and Avalanche. You must audit approvals on each chain separately because approvals are chain-specific.
Step 2: Scan approvals with Revoke.cash. Navigate to Revoke.cash and connect your wallet. The platform automatically detects your connected chains and displays all active token approvals. For each chain, you will see a list of contracts with their approved spending limits. Pay special attention to approvals labeled “Unlimited” — these are the highest risk because they allow the approved contract to spend your entire token balance at any time.
Step 3: Risk-assess each approval. Not all approvals carry equal risk. An approval to a well-known, audited protocol like Uniswap’s router contract carries less risk than an approval to an unknown or recently deployed contract. Check the contract address on the block explorer — when was it deployed? Does it have verified source code? Has it been audited by a reputable firm? Approvals to contracts deployed within the last 30 days without verified source code should be revoked immediately.
Step 4: Understand Permit2 and signature-based approvals. The $32.4 million spWETH theft exploited a Permit signature — a mechanism that allows gasless approvals through off-chain signatures. These do not appear in traditional approval scanners because no on-chain transaction is required. To check for Permit2 approvals, look specifically at the Uniswap Permit2 contract (0x000000000022D473030F116dDEE9F6B43aC78BA3 on Ethereum). If you have signed any Permit2 messages, you may have granted sweeping access to your tokens without realizing it. Revoke these through Revoke.cash’s dedicated Permit2 section.
Step 5: Revoke with precision. For each high-risk approval, click “Revoke” on Revoke.cash. This triggers an on-chain transaction that sets the spending allowance to zero. Confirm the transaction in your wallet and wait for it to be included in a block. For maximum security, consider revoking all approvals except those you actively need for current positions. You can always re-approve when you need to interact with a protocol again.
Step 6: Establish ongoing monitoring. Install the Revoke.cash browser extension or set up alerts through platforms like Wallet Guard or revoke.xyz. These tools notify you whenever a new approval is granted, allowing you to catch and review permissions in real time rather than discovering them weeks or months later during an audit.
Troubleshooting
If a revocation transaction fails, the most common cause is insufficient gas. Ensure you have enough native tokens (ETH, MATIC, BNB, etc.) to cover the transaction fee. If Revoke.cash shows an error loading approvals for a specific chain, try using the chain’s native block explorer directly — navigate to your address, find the “Token Approvals” section under the dropdown menu.
For approvals that appear stuck or cannot be revoked through standard tools, you may need to interact with the contract directly. Copy the contract address into Etherscan, connect your web wallet under the “Contract” tab, and call the approve function with your own address as the spender and zero as the amount. This manual approach bypasses UI limitations of automated tools.
If you discover approvals to contracts you do not recognize and suspect you may have been exposed to a phishing attack, immediately transfer your tokens to a fresh wallet address. Do not attempt to interact with the suspicious contract further, as some malicious contracts contain trapdoor functions that activate on revocation attempts.
Mastering the Skill
Smart contract approval auditing should become a regular habit, not a one-time exercise. Schedule a monthly review of all your active approvals across every chain you use. Before connecting your wallet to any new protocol, check its contract addresses against security databases like CoinMarketCap’s smart contract audit section or DeFiSafety’s protocol ratings. Adopt the principle of minimal approval: approve only the exact amount needed for your intended transaction rather than accepting the default unlimited approval that most protocols request. With practice, this entire audit process takes less than 15 minutes and provides peace of mind that your assets remain under your control.
Disclaimer: This article is for educational purposes only and does not constitute financial or security advice. Always conduct your own research and consider consulting with a security professional before making decisions about your digital assets.
that $32.4M spWETH theft via a fake Permit signature is exactly why I revoke approvals weekly now. used to do it never
BingX losing $44M and Indodax $22M in the same month and people still blindly sign metamask prompts without reading them
^ this. the phishing UI looked identical to the real protocol too. anyone can get got
the permit signature exploit is especially nasty because it does not require gas. you sign once off-chain and the attacker submits whenever they want. days or weeks later
the gasless signing exploit is genius from an attacker perspective. your wallet shows nothing, no pending transaction, no gas estimate. just a signature request that looks like any other
the off-chain signing then execute later pattern is brutal. you sign a permit on sunday, attacker submits on wednesday. no gas alert, nothing
the delayed execution pattern permit_ghost mentioned is why you should check pending permits too, not just active approvals. revoked one from March I forgot about
checking pending permits is such an underrated tip. had one sitting from a testnet airdrop 6 months ago. revoked it immediately after reading this
bingx 44M and indodax 22M in one month and people still click approve on random contracts they found from a telegram link. unreal
BingX at $44M in losses and people still click approve on contracts from Telegram links. the gap between awareness and action is massive
running every approval through a simulation first should be standard. tenderly and pocket universe catch most of this automatically. no excuse in 2024
Been using revoke.cash monthly since 2022. Should be built into every wallet at this point, not a third party tool you have to know about
rabby wallet actually shows you what you are signing in human readable format. metamask just shows hex. the UX gap is massive and its costing people millions