How to Revoke Smart Contract Approvals

Every time you interact with a DeFi protocol on Ethereum or another EVM-compatible chain, you are typically asked to sign a token approval: a transaction granting a smart contract permission to spend your tokens. This permission persists indefinitely unless you explicitly revoke it. Over time, active DeFi users accumulate dozens or hundreds of these approvals from protocols they may have used only once. Each active approval is a potential attack surface: if any of those protocols is exploited, hacked, or turns malicious, the attacker can use the existing approval to drain the specific tokens you approved from your wallet. Revoking unnecessary approvals is one of the most important, and most overlooked, security practices in DeFi.

What a Token Approval Actually Does

A token approval is a transaction that modifies a permission record in the token contract, specifically an ERC-20 allowance. It records how many tokens a specific smart contract address is authorised to spend on your behalf. When you approve “unlimited” tokens (which is the default in many DeFi interfaces), you give that contract permission to move any amount of that token from your wallet at any time. When you approve an exact amount, the permission is limited to that specific quantity. Understanding the full mechanics of what token approvals are and why they matter is the foundation of managing them correctly.

Why Old Approvals Are Dangerous

The danger of old approvals lies in persistence and forgotten exposure. You might have connected your wallet to a small protocol during a market frenzy, approved tokens, made a few transactions, and then moved on. Months later, that protocol’s smart contract is exploited. The attacker queries the blockchain for all wallets with active token approvals to the compromised contract and drains all approved tokens from those wallets. Because approvals are on-chain and public, attackers can scan for them systematically. Several of the largest DeFi exploits in history have included wallet draining using existing approvals as a secondary attack vector. The risks of DeFi investing include not just protocol-level vulnerabilities but the approval trail left behind from previous interactions.

How to Check Your Active Approvals

Several free tools allow you to view all active token approvals for any Ethereum address. Revoke.cash is the most widely used: visit revoke.cash, connect your wallet, and it displays a complete list of all active approvals organised by token and spender contract. Etherscan provides a “Token Approvals” tab on any address page (navigate to etherscan.io, enter your address, and find the Token Approvals tab). DeBank and Zerion also display active approvals as part of their portfolio dashboards. For Solana users, the Phantom Wallet interface has begun including approval management features, and dedicated tools like Sol Incinerator handle Solana token account closures. Always use reputable, well-established tools when checking approvals: fake approval checkers exist and are designed to steal your seed phrase or trick you into signing malicious transactions.

Step-by-Step: Revoking an Approval on Revoke.cash

Visit revoke.cash. Connect your MetaMask or other EVM wallet using the “Connect Wallet” button. Select the network you want to check (Ethereum mainnet, Polygon, Arbitrum, etc. – check each chain separately). The tool displays all active approvals for that address and chain. For each approval you want to revoke, click the “Revoke” button. This triggers a transaction in your wallet that sets the allowance to zero. You must pay a gas fee for each revocation transaction (as each revocation is an on-chain transaction). Confirm each revocation in your wallet. After the transaction confirms, the approval is removed.

Gas Fees and Batch Revoking

Each revocation requires a separate on-chain transaction, incurring Ethereum gas fees. During periods of network congestion, this can make revoking dozens of approvals expensive. To minimise costs, consider revoking approvals in batches during low-congestion periods (typically late night UTC on weekdays). Some tools like Revoke.cash offer a batch revoke feature that bundles multiple revocations into fewer transactions, reducing the overall gas cost. Layer 2 networks like Arbitrum and Optimism have much lower gas fees, making revocations there significantly cheaper. On Polygon, the fees are minimal. The investment in revoking unnecessary approvals is almost always worthwhile given the potential cost of a wallet exploit.

Best Practices for Managing Approvals

Rather than accumulating approvals and periodically revoking them, adopt these habits to minimise your ongoing approval exposure. Approve exact amounts rather than unlimited amounts whenever possible: some DeFi interfaces allow you to edit the approval amount before signing. If an interface only allows unlimited approval, be especially vigilant about using audited, established protocols. After completing your intended interaction with a protocol (for example, adding liquidity to a pool and later removing it), revoke the approval immediately. Set a calendar reminder to review your approvals monthly using Revoke.cash. For any protocol that is new, unaudited, or where you have concerns, consider using a separate “hot” wallet with minimal holdings specifically for experimental DeFi interactions, isolating risk from your main holdings.

Approvals After a Phishing or Exploit Incident

If you suspect your wallet has been compromised, whether through a phishing attack, interacting with a malicious contract, or a rug pull, revoke all approvals immediately and then transfer all remaining funds to a completely new wallet with a new seed phrase. Revoking approvals is only effective while the attacker has not yet used them: if an approval-based drain is actively occurring, acting within minutes can make the difference between losing some funds and losing everything. The broader guidance on recovering from a crypto scam and what to do after a compromise is covered in our dedicated security guides.

Multi-Chain Approval Management

EVM chains including Ethereum, Polygon, Arbitrum, Optimism, Avalanche, and BNB Smart Chain all use the same approval mechanism and can all be checked using tools like Revoke.cash by switching networks. If you have been active across multiple chains, check each one separately. A compromised approval on one chain does not automatically affect others, since approvals are chain-specific. Non-EVM chains like Solana use a different token account model, but Solana also has its own category of token account approvals that should be managed using Solana-specific tools.

Key Takeaways

Token approvals grant smart contracts permission to spend your tokens indefinitely. Accumulated old approvals from past DeFi interactions represent ongoing security exposure. Use Revoke.cash, Etherscan’s Token Approvals tab, or DeBank to view and revoke unnecessary approvals regularly. Revoke approvals as part of your post-interaction cleanup, especially for protocols you no longer use. During a security incident, revoke all approvals and transfer funds to a fresh wallet immediately. Understanding approvals is inseparable from understanding how DeFi token permissions work, and both are core to responsible DeFi security practice.