I’m always impressed by humanity’s capacity for thinking up new ways to do mean things to each other. So, did you know that bad guys are trying to steal your crypto! It turns out that a little-known feature of most DeFi wallets is exposing users to the risk of attack. If that sounds alarming, then it should do.
Let’s identify, assess, and mitigate this threat.
What is a token allowance and how does it work?
Whenever you make a transaction from your DeFi wallet, you have to click “Confirm” to proceed. But what are you confirming? Most people would never think to look, but if you open the contract details you might be in for a shock.
Why do we need approval?
Each transaction requires that a smart contract has access to your wallet to spend the tokens you are investing or swapping. The token allowance is the maximum amount the smart contract has permission to spend from your wallet. Say you have $10,000 worth of DAI, you don’t want to let a small transaction have access to the whole amount. Well, take a look at the permissions being afforded to the smart contract when you click the confirm button. More often than not, the amount will be set to ‘Unlimited.’ Yikes!
It sounds worse than it is but there’s still a significant risk, depending on which projects you interact with. In all situations when value is exchanged, there’ll be ingenious criminals hell-bent on subverting the process for their own gains. In an ecosystem as new and complex as smart contracts, there’ll always exist loopholes, backdoors, and weaknesses to exploit.
What’s the danger of unlimited token allowance?
During these nascent stages of DeFi, investing often involves sending money to a company you know nothing about. In a bid to get in early, yield farmers choose companies that might be a few weeks old at most. Allowing these anonymous service providers unlimited access to your tokens might well end in disaster.
If you would have bet on the right coins this year you could easily have 10xed your capital…
You could even have made as much as 100x which means you could have turned $100 into as much as 10k.
Experts believe this will happen again in 2021, the only question is which coin do you bet on?
My friend and cryptocurrency expert Dirk is personally betting on 3 under-the-radar cryptocurrencies for huge ROI in 2021..
Click here to learn what these coins are (watch till the end of the presentation).
The best-known case is the MEOW rug-pull. The UniCats project required users to deposit Uniswap tokens to start farming MEOW tokens. The smart contract requested unlimited allowance which nobody knew or cared about. People just clicked confirm as per usual. When the scammers eventually rug-pulled, they could access not only the staked funds but all the UNI tokens held in users’ wallets.
Another case of thievery happened with the aptly named Degen Money. Two approval transactions were coded into the smart contract. One for a legitimate address for the application, but the other for an illicit address that had been prepared to steal crypto. Nobody ever checked the addresses, so the extra one wasn’t spotted until it was too late.
Other cases of abuse center around developers inserting proxies, and code being copied and applied lazily by developers. There’s a great explanation by the man behind Revoke.cash. DeFi is new, unregulated, and there are plenty of bad people out there. So how do we protect ourselves?
How to check approval records？
There are several chain analysis tools designed to help you revoke any unnecessary permissions. They’re simple to use and do more or less the same thing for different blockchains and wallets. Some of these are sites built by kind-spirited individuals for no reward, other than the satisfaction of helping decentralized finance progress.
Apart from providing vaults for its yield farming, Beefy Finance has a revoke function. It automatically opened my Metamask browser extension wallet and asked me to click confirm. The tool displays, “Find & revoke all the addresses that can spend your tokens,” then gives you the option to revoke the unwanted permissions. It’s simple, free, and effective.
A free basic website enables wallet holders to revoke permissions on multiple blockchains, such as ETH, BSC, HECO, FTM, and MATIC.
The BSC Chain tool helps you to review and revoke token approvals for all your Dapps. You enter a wallet address and view the Dapps that have access to your tokens.
These guys are transparent enough to show their code on GitHub. This is important as you never know who’ll be the first to exploit this revoke issue. Someone will inevitably build a tool that purports to help you revoke unlimited allowances, then steals all your crypto. I wouldn’t put it past them!
From the TAC/Dappstar webpage, you can revoke permissions in the following wallets.
Also, check out our other decentralized finance platform reviews:
It’s an arms race. The good guys build something, then the bad guys hack it. The good guys fix the leak, but the bad guys are dreaming up new ways to get around these latest security updates. This is not necessarily a bad thing. It’s how security develops over time, indeed it inspired the entire enterprise of cryptography, to which we owe everything.
This could all be handled from within the wallet application. There should be a toggle next to each of your coins displaying whether it’s set to unlimited, or beyond a user-defined threshold. There’s also the challenge that revoking permission needs 5 to 15 minutes to take effect. If you are defending against a known crook, would it be possible for bad actors to be in and out of your wallet before you can reasonably stop them?
As DeFi continues to boom, so will the associated crime. There are exploits as yet of unthought-of that will require solutions. Who knows what scam I will be writing about next year? Until the DeFi sector is on a firmer foundation, we need to remain vigilant and meet each new challenge as it arises.
[One of the most aggravating parts of the whole debacle is turning the word ‘Rug’ into a verb. For example, you might now hear it said, “The latest meme coin staking platform was offering 80000%APY, but just rug-pulled all its fanboys.” Expect to hear this, and worse, at dinner parties from now on.]
CaptainAltcoin’s writers and guest post authors may or may not have a vested interest in any of the mentioned projects and businesses. None of the content on CaptainAltcoin is investment advice nor is it a replacement for advice from a certified financial planner. The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of CaptainAltcoin.com