How to Revoke Token Approvals: A Step-by-Step Guide to Protecting Your Crypto Wallet

Every time you interact with a decentralized application — swapping tokens on Uniswap, providing liquidity to Aave, or minting an NFT on OpenSea — you grant that smart contract permission to spend your tokens. These permissions, called token approvals or allowances, are a fundamental part of how DeFi works. But they are also one of the most common ways that hackers drain wallets. The Ledger Connect Kit attack on December 14, 2023, which stole over $600,000, exploited exactly this mechanism. With Bitcoin at $43,997 and Ethereum at $2,326 on December 22, 2023, the value at risk from stale approvals has never been higher. This guide walks you through understanding, auditing, and revoking token approvals to keep your crypto safe.

Understanding Token Approvals

When you approve a token spending allowance, you are telling the token contract that a specific smart contract address is allowed to transfer up to a certain number of your tokens. The ERC-20 standard includes two relevant functions: approve(address spender, uint256 amount) and approveForAll(address operator, bool approved) for ERC-721 and ERC-1155 tokens. When you set an approval, it remains active on-chain until you explicitly revoke it. There is no expiration date, no automatic cleanup, and no notification when a protocol you approved months ago gets hacked.

The danger is compounded by the common practice of setting approvals to the maximum uint256 value (approximately 1.15 x 10^77 tokens), which effectively grants unlimited spending permission. While this saves gas on future transactions by avoiding repeated approval calls, it means that if the approved contract is ever compromised, the attacker can drain your entire token balance for that specific asset.

The recent Ledger Connect Kit supply chain attack demonstrated this vulnerability in real-time. When the malicious versions of the NPM package were pushed to the registry, dApps that imported the library unknowingly loaded a Drainer class that exploited previously granted approvals to transfer user funds. Users who had granted unlimited approvals to these dApps were fully exposed, while those who had set limited approvals or had revoked old approvals were partially or fully protected.

Checking Your Approvals

Before you can revoke approvals, you need to know what approvals you have granted. Several tools make this process straightforward. Revoke.cash is the most widely used approval checker. Connect your wallet, and the tool scans the blockchain for all token approvals associated with your address across multiple networks including Ethereum, BNB Chain, Polygon, Avalanche, Arbitrum, and Optimism. Each approval shows the token contract address, the spender contract address, the approved amount, and the network it is on.

Etherscan also provides an approval checker. Navigate to the Token Approvals section under your address profile, and you will see a list of all ERC-20, ERC-721, and ERC-1155 approvals. The interface allows you to filter by token type and network, and provides a direct revoke button for each approval.

For power users, you can query approvals directly using ethers.js or web3.js. The ERC-20 allowance(address owner, address spender) function returns the current approved amount for any token and spender combination. This method requires more technical knowledge but gives you complete control and can be automated as part of a regular security audit routine.

The Revocation Process

Revoking an approval is a simple on-chain transaction. Here is the step-by-step process using Revoke.cash, the most user-friendly option. First, navigate to Revoke.cash and connect your wallet. The tool supports MetaMask, WalletConnect, Coinbase Wallet, and most popular browser extension wallets. Second, select the network you want to audit. Revoke.cash supports over 30 networks. Third, review the list of active approvals. Pay special attention to approvals for large amounts (anything over the amount you actually need for current interactions) and approvals to contracts you no longer use. Fourth, click the revoke button next to any approval you want to remove. This will prompt your wallet to sign a transaction. Fifth, confirm the transaction and wait for it to be included in a block. Once confirmed, the approval is permanently removed from the blockchain.

The gas cost of revoking an approval is similar to a standard token transfer — typically between $1 and $5 depending on network congestion. On Layer 2 networks like Arbitrum and Optimism, the cost is usually less than $0.10. This is a small price to pay for significantly reducing your exposure to smart contract exploits.

For users with many approvals across multiple networks, the process can be time-consuming. Some tools, including Revoke.cash, offer batch revocation features that allow you to revoke multiple approvals in a single transaction, saving both time and gas fees. Look for the batch or bulk revoke option in the tool interface.

Best Practices

Adopting a proactive approach to token approval management can prevent the vast majority of approval-based exploits. First, set limited approvals instead of unlimited ones. Many modern dApps support exact amount approvals. If the dApp does not offer this option, consider whether the convenience of unlimited approval is worth the additional risk. Second, revoke approvals immediately after completing a transaction. If you swap tokens on Uniswap, revoke the approval as soon as the swap is complete. You can always re-approve the next time you use the protocol. Third, conduct a monthly approval audit. Set a calendar reminder to check Revoke.cash once a month and revoke any approvals you no longer need. Fourth, use a dedicated wallet for DeFi interactions. Keep your main holdings in a wallet with minimal or no approvals, and use a separate hot wallet with limited funds for dApp interactions. Fifth, consider using hardware wallets for large holdings. Hardware wallets require physical confirmation for every transaction, including approvals, adding an extra layer of security.

Tools Overview

Beyond Revoke.cash and Etherscan, several other tools deserve mention. MetaMask Snaps now include Wallet Guard and Blockfence extensions that provide real-time transaction simulation and approval monitoring directly within the wallet interface. Tenderly allows developers to simulate transactions before signing, showing exactly what state changes an approval or transaction will cause. Unrekt.net offers an alternative approval revocation interface with a focus on identifying potentially malicious contracts. Approvals.xyz provides a clean interface for checking and revoking approvals across multiple chains simultaneously.

The key takeaway is that managing token approvals is not optional — it is a fundamental security practice that every crypto user should adopt. The tools are free, the process is simple, and the protection it provides is significant. In an ecosystem where a single stale approval can lead to the loss of thousands of dollars, the few minutes it takes to audit and revoke unnecessary approvals is the highest-return security investment you can make.

Disclaimer: This article is for educational purposes only and does not constitute financial or security advice. Always verify tool URLs and conduct your own research before connecting your wallet to any platform.