The aftermath of the Bybit hack, which exposed alarming vulnerabilities in centralized cryptocurrency exchange security, serves as a critical reminder that even the most sophisticated platforms can be compromised. For experienced cryptocurrency users, the incident underscores the importance of taking direct control of your security posture — not just through hardware wallets, but through a systematic approach to auditing your smart contract interactions and access permissions.
This advanced tutorial walks through the practical steps for conducting a comprehensive security audit of your wallet’s smart contract approvals, identifying potential vulnerabilities in your interaction history, and establishing an ongoing monitoring routine. Whether you manage a substantial portfolio or interact frequently with DeFi protocols, these techniques will help you identify and mitigate risks before they become losses.
The Objective
The goal is to establish a complete inventory of every smart contract that has permission to interact with your wallets, identify any approvals that exceed their necessary scope, and revoke access for contracts you no longer use or trust. Additionally, you will set up monitoring to receive alerts when new approvals are granted or when previously approved contracts exhibit unusual behavior.
This process is particularly relevant in the current market environment, where Bitcoin trades at approximately $82,600 and Ethereum at $1,827, meaning that even small vulnerabilities in your wallet security could expose significant value.
Prerequisites
Before beginning this audit, you will need the following tools and access: a web browser with MetaMask or your preferred wallet extension installed, access to Etherscan or the appropriate block explorer for each network you use, a tool such as Revoke.cash or Rabby Wallet for visualizing token approvals, and optionally a terminal with Foundry or Hardhat installed for programmatic approval checking. Familiarity with reading smart contract ABIs and understanding ERC-20 approval mechanics is assumed.
Step-by-Step Walkthrough
Step 1: Inventory your wallets and networks. Begin by listing every wallet address you actively use across all networks — Ethereum mainnet, Arbitrum, Optimism, Base, Polygon, and any other chains where you have deployed funds. For each wallet, note the approximate value at risk. This inventory forms the foundation of your audit scope.
Step 2: Export your approval history. Navigate to Revoke.cash and connect each of your wallets in sequence. The platform will display every token approval associated with your address across supported networks. Export or screenshot the full list for each wallet. Pay particular attention to unlimited approvals (shown as very large numbers or infinity symbols), which grant the spender access to your entire token balance.
Step 3: Categorize approvals by risk level. Sort your approvals into three categories. Green approvals are those you recognize and actively use, such as trusted DEX routers like Uniswap or established lending protocols where you currently have positions. Yellow approvals are for protocols you recognize but no longer actively use — these should be candidates for revocation. Red approvals are those you do not recognize, cannot identify the contract for, or that point to known compromised or deprecated contracts — these require immediate revocation.
Step 4: Verify contract authenticity. For each yellow and red approval, verify the contract address against the protocol’s official documentation. Check the contract on Etherscan to confirm it is verified and matches the expected source code. Cross-reference with DeFi safety databases and audit reports. If the contract is unverified or you cannot confirm its legitimacy, treat it as a red approval.
Step 5: Revoke unnecessary approvals. Using Revoke.cash or directly through the block explorer, revoke all red and yellow approvals. When revoking, set the allowance to zero rather than a small number. For Ethereum mainnet, be aware that each revocation transaction costs gas — batch multiple revocations when possible using tools like Permit2 or through a Foundry script that calls the approve function with a zero amount for each spender.
Step 6: Set up ongoing monitoring. Configure alerts using tools like Forta, OpenZeppelin Defender, or wallet notification systems that ping you when new approvals are granted from your addresses. Some advanced users deploy custom smart contracts that act as intermediaries, only allowing whitelisted contracts to receive approvals from the wallet.
Troubleshooting
If you encounter approval entries that cannot be revoked through standard tools, this may indicate the approval was granted to a contract with a self-destruct function or one that has been deprecated. In such cases, you may need to interact directly with the token contract using a manual transaction to set the allowance to zero. Use Foundry’s cast tool to send the approval reset transaction directly.
For wallets with hundreds of historical approvals, consider creating a fresh wallet and migrating your assets rather than attempting to clean up a lengthy approval history. Transfer tokens (not by using token transfers that might trigger old approvals, but by sending the native token first and then moving ERC-20 tokens) to the new address, and be more selective about which contracts you approve going forward.
Mastering the Skill
The most effective security posture is preventive rather than reactive. Going forward, adopt the habit of granting only the minimum necessary approval for each transaction — use exact amount approvals rather than unlimited approvals wherever possible. Modern DEX interfaces like Uniswap’s Permit2 system allow for single-use permits that expire after one transaction. Consider using a dedicated interaction wallet with limited funds for experimenting with new protocols, keeping your main holdings in a separate, approval-free wallet. Regular security audits, conducted quarterly or after any significant market event, should become as routine as checking your portfolio performance.
Disclaimer: This article is for educational purposes only and does not constitute financial or security advice. Always verify security procedures with qualified professionals before implementing changes to your cryptocurrency setup.
revoking old token approvals should be monthly maintenance, not something you do after getting rekt. use revoke.cash or untitled, takes 2 min
been saying this since the infinite approval era of 2021. blame metaMask for making unlimited the default for so long
this. i found 47 active approvals i didnt recognize. 47. some from contracts that probably dont even exist anymore
47 approvals is rookie numbers. checked my main wallet after reading this and found 132. cleaning house now
132 is wild. bet half of those are from testnets you connected to once and forgot about
monthly is the move. set a calendar reminder, takes less time than checking your portfolio which you probably do 20x a day
Good breakdown of the approval audit process. One thing missing: most people forget about NFT approvals. Those can be just as dangerous as ERC-20 spending limits.
Diego Ruiz is right about NFT approvals. lost 2 ETH worth of NFTs from a forgotten Seaport approval last year. check those too people