The December 2023 hack of NFT Trader, which saw approximately $3 million worth of high-value NFTs stolen through legacy smart contract exploits, has left many NFT holders wondering whether their own collections are at risk. If you have ever traded NFTs on a peer-to-peer marketplace, the answer is: possibly yes. This guide walks you through the essential steps to secure your digital assets by understanding and managing wallet approvals.
The Basics
When you list an NFT for sale on a marketplace or complete a trade on a peer-to-peer platform, you grant that platform’s smart contract permission to transfer the NFT on your behalf. This permission is called a token approval, and it persists indefinitely unless you explicitly revoke it. Think of it like giving someone a key to your house: even after you stop visiting them, they still have the key. In the NFT Trader hack, attackers exploited old smart contracts that still had active approvals from users who had traded on the platform months or even years earlier.
With Ethereum trading at approximately $2,227 and some individual NFTs worth hundreds of thousands of dollars, the financial stakes of ignoring these approvals are enormous. The attack affected holders of Bored Ape Yacht Club, Mutant Ape Yacht Club, VeeFriends, World of Women, and Art Blocks collections.
Why It Matters
Token approvals are not inherently dangerous — they are necessary for decentralized applications to function. The risk arises when approvals outlive their usefulness. Platforms frequently upgrade their smart contracts, but old contracts remain on the blockchain with their approvals intact. If an old contract contains a vulnerability, as was the case with NFT Trader’s reentrancy bug, attackers can exploit it to access your tokens even though you have not interacted with the old contract in months. This is not a theoretical risk: it has now resulted in one of the largest NFT thefts in history.
Getting Started Guide
Here is how to check and revoke your token approvals step by step. First, visit Revoke.cash, a free and widely trusted tool for managing Ethereum and EVM-compatible chain approvals. Connect your wallet using MetaMask, WalletConnect, or Coinbase Wallet. The site will display all active approvals for your address, organized by token type and the contract that holds the approval. Look for approvals to contracts you no longer use or recognize, especially older versions of marketplace contracts. For each suspicious approval, click the revoke button and confirm the transaction in your wallet. There will be a small gas fee for each revocation, so prioritize high-value NFT approvals first. You can also use Etherscan’s token approval checker as an alternative, though the interface is less user-friendly.
Common Pitfalls
Many users make the mistake of only checking their most active wallet. If you have multiple wallets, you need to check each one separately. Another common error is confusing revoking an approval with canceling a listing. Revoking an approval removes the contract’s permission to transfer your tokens, but it does not cancel active listings on current marketplaces. You should do both: cancel listings on platforms you no longer use and revoke the underlying approvals. Some users also worry that revoking approvals will affect their current listings on platforms like OpenSea or Blur. The answer depends on which specific contract you are revoking. If you revoke the approval for an old NFT Trader contract, it will not affect your OpenSea listings because they use different contracts.
Next Steps
Make approval management a regular part of your security routine. Check your approvals monthly, or at minimum after every significant trade or platform migration. Consider using a dedicated trading wallet that holds only the NFTs you are actively listing, keeping your long-term holdings in a separate wallet with minimal approvals. Hardware wallets like Ledger and Trezor provide an additional layer of protection because every transaction requires physical confirmation on the device. Finally, stay informed about security incidents in the NFT space by following security-focused accounts and tools like Revoke.cash on social media. The NFT Trader hack was preventable for users who had revoked their old approvals. Do not let the next hack catch you unprepared.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any investment decisions.
the house key analogy is spot on. i probably have 40+ active approvals from dapps i havent touched since 2021. time for cleanup
40 approvals is actually low. checked mine on revoke.cash and had over 80. most from random airdrop claims
80 approvals from airdrops is exactly why i use a burner wallet for anything airdrop adjacent. main wallet stays clean
Revoke.cash should be bookmarked by every NFT holder. Took me 15 minutes to clean up two years of approvals.
spent 20 mins revoking stuff after reading this. found 3 approvals to contracts i literally dont even recognize. scary
i had 12 open approvals from 2022 alone. revoked all of them. the peace of mind is worth the gas
the real lesson is never approve unlimited spending. set exact amounts. most people just click confirm without reading
exact amounts should be the default tbh. metamask still shows ‘unlimited’ for most contracts and people just click through. the ux is part of the problem