Token approval: the Achilles heel of your cryptocurrencies

Be careful with your cryptocurrencies – It wouldn’t occur to you to grant anyone the right to use it in your bank account for an unlimited period ? And yet, that’s literally what you’re doing when you use token approval without understanding its mechanics! And even your Ledger can’t defend you!

I'” approval (Token Approval) is a mechanism for giving a third party permission to transfer your tokens. Unfortunately, this can also pave the way for scams and significant financial losses if you don’t fully understand how approval works. In this article we will learn about token endorsementand how you can use it safely to transfer your digital assets. Be vigilant, because the security of your tokens depends on your understanding of this kind of mechanism.


What is cryptocurrency endorsement and why use it?

Tokens ERC20, ERC721 And ERC1155 are token standards that were created in order to define a standard in terms of digital assets.

A little reminder, the tokens ERC20 are fungible tokenswhile tokens ERC721 And ERC1155 are non-interchangeable tokens (semi-fungible for ERC1155 tokens).

These three standards were created by integrating a mechanism that we will examine today: approval.

Token Approval (approval) allows a user to give another user thehas permission to transfer a number of its cryptocurrencies. This can be useful in several scenarios, for example, if you want to authorize a friend to move your tokens on your behalf or if you wish to authorize a decentralized application (or not) to use your tokens to make transactions.

It is important to note that this mechanism is only present for tokens issued on the blockchain and not on the native token of the latter. For example, theether of the Ethereum blockchain does not have an approval mechanismwhich is why some applications use wrapped Ether (wETH) to take advantage of the power of such a tool.

>> Safety is the basis! To keep your cryptos close to you, trust Ledger (commercial link) <<

The approval of a token is done directly with the contract that issues this token. For example, if you want an address to have access to your USDC then you must use the USDC token contract to accomplish the approval.

You will find two different functions depending on the type of contract. Here is the attendance table for these two functions:

ERC20 ERC721 ERC1155
approve 🚫
setApprovalForAll 🚫
Presence of approval functions by standard.

Function approve allows token users ERC20 and ERC721 to give to another address (usually a contract) authorization to spend a specific amount or NFT.

The “approve” function of ERC20 and ERC721:

For ERC20, the function approve take as parameters the address of the spender, the person who will have access to your tokensand the amount which corresponds to amount of token you want to authorize.

Applications that use ERC20 token approval tend to request a huge approval amount so that you don’t have to ask for a new approval for each transaction.

Taken from the official code of the ERC20 standard of Openzeppelin, it presents the function "approve" which is a public function that allows access to its cryptocurrencies
“Approve” function of the ERC20 standard – Source: github @openzeppelin

For ERC721, the function approve always takes as first parameter the address which will have access to the NFT, but this time if, the second parameter will be your NFT number. It therefore allows access to a single NFT of the contract, provided that this NFT is yours.

Taken from the official code of Openzeppelin's ERC721 standard, it defines the function "approve" which is different from that of the ERC20 standard because it makes it possible to define access to a specific NFT.
“Approve” function of the ERC721 standard – Source: github @openzeppelin

The “setApprovalForAll” function of ERC721 and ERC1155:

Function setApprovalForAll is present for tokens of type ERC721 and ERC1155.

The parameters are identical for both standards, the first is always the address that will have the access, the second is this time if a boolean (true or false) which allows you to define whether the address in question has the rights to your tokens.

This function, as its name suggests, automatically gives the right to all the NFTs present on your wallet for the same contract.

Taken from the official code of Openzeppelin's ERC721 and ERC1155 standard, it defines the function "setApprovalForAll" which allows you to give access to all your cryptocurrencies / NFTs in one transaction.
“setApprovalForAll” approval function of the ERC721 and ERC1155 standard – Source: github @openzeppelin

And what are the risks for your cryptocurrencies?

The risks related to the approval of tokens are many.

First of all, it is possible that a malicious third party obtains authorization to access your tokens and transfers them without your consentand this via a fraudulent application. To limit this risk, it is very important to read the transactions you are about to sign. Quite often your wallet will tell you that an approval is required, it’s up to you whether it’s normal or not.

Additionally, apps that ask for huge approval amounts can potentially drain your wallet if hacked. Indeed, it is important to note that the approval is permanent and is always active over time.

For example, let’s say you authorize the transfer of ten thousand dollars worth of USDT to a protocol. The latter uses a thousand dollars. Then you decide to empty your wallet by withdrawing the remaining nine thousand dollars. If one day you decide to put USDT back in your wallet, even in 10 years, SO the protocol will always have access to nine thousand dollars of your funds.

>> Prefer to keep your cryptos safe? Choose a Ledger wallet (commercial link) <<

First, it is important to check the transactions you are going to sign and to read approval requests carefully.

It is also advisable to revoke approval permissions that you no longer use and give permissions only to trusted people or apps.

But how to revoke these permissions ? Well, there is only one way, to reuse the same functions seen previously.

By default, platforms use setApprovalForAll for ERC721 and ERC1155 tokens as well as approve with a huge amount for ERC20. This allows them to only ask you for approval once. To revoke these approvals, simply do the reverse operationto know :

For ERC721 / ERC1155:

Use function setApprovalForAll with the protocol (or person) address as the first parameter and false (fake) Secondly, to withdraw approval.

For ERC20:

Use function approve with the protocol (or person) address as the first parameter and zero going up for the second, this will allow completely revoke the right of access on your cryptocurrency.

A little tip, if you don’t know who you’ve already given approvals to, this site allows you to identify and carry out revocations directly from their application. It is very important to do this regularly for good digital hygiene.

In conclusion, token approval can be a very useful mechanism for transfer your cryptocurrency securelybut it is important to understand the risks associated with this feature. To protect yourself, it is crucial to check transactions carefully that you sign, not to give permissions only to trusted people or appsand of revoke approval permissions that you no longer use. With a good understanding of token endorsement and responsible use of this feature, you can reap the full benefits of blockchain and all its applications.

Don’t skimp on caution! Thus, to keep your cryptocurrencies safe, the best solution is still a personal hardware wallet. At Ledger, there is something for all profiles and all cryptos. Do not wait to put your capital in safety (commercial link)!

Last Verdict

To get more updates about the insurance you can follow our website or can bookmark it.

Leave a Reply

Your email address will not be published. Required fields are marked *