Every time you interact with a DeFi protocol, you typically approve the smart contract to spend tokens on your behalf. Most protocols request 'unlimited' approval by default — meaning the contract can spend your entire token balance forever, even after your transaction is done. If that contract is later exploited, the attacker can drain your approved tokens without any further interaction from you. This has happened repeatedly: the Multichain exploit, BadgerDAO hack, and numerous smaller incidents involved attackers using existing approvals to steal funds from wallets that hadn't interacted with the protocol in months.
Revoke.cash is the standard tool for checking and revoking token approvals. Visit revoke.cash, connect your wallet, and the tool scans all your approvals across supported chains. Each approval shows the token, the spender contract, the approved amount, and a risk assessment. Click 'Revoke' next to any approval you want to remove — this submits a transaction setting the approval to zero. Focus on revoking approvals for: protocols you no longer use, contracts you don't recognize, unlimited approvals on high-value tokens, and any contracts flagged as high-risk. Each revocation costs a small gas fee, so prioritize the highest-risk approvals first.
The best defense is limiting approvals from the start. When MetaMask shows an approval popup, click 'Edit Permission' and set a custom spending cap equal to the amount you're actually transacting — not the unlimited default. This means you'll need to re-approve for future transactions, but limits your exposure if the contract is compromised. Some wallets like Rabby automatically warn you about unlimited approvals and suggest reasonable limits. Use separate wallets for different risk levels: a 'DeFi active' wallet with limited funds and a 'vault' wallet with your main holdings that rarely approves anything.
Make approval hygiene a monthly habit. Set a calendar reminder to visit Revoke.cash and review your outstanding approvals. After every DeFi session, consider immediately revoking approvals for the contracts you just used — the gas cost is negligible compared to the potential loss from a compromised approval. Track which protocols you have active approvals with and monitor them for security incidents. If a protocol you've approved gets hacked (even if you haven't lost funds yet), revoke its approval immediately. This routine takes 10 minutes monthly and eliminates one of the most common attack vectors in DeFi.
When you use a DEX or DeFi protocol for the first time, it asks you to approve spending your tokens. Most dApps request unlimited approval by default — meaning the smart contract can spend an infinite amount of that token from your wallet forever, even after you finish the transaction. This is convenient because you do not need to re-approve each time, but it creates a persistent vulnerability. If the contract is later exploited or turns malicious, the attacker can drain the approved tokens from your wallet without any further action from you. Revoking approvals removes this standing permission.
Revoke.cash is the most comprehensive multi-chain revocation tool, supporting Ethereum, Arbitrum, Polygon, Base, Optimism, and dozens of other EVM networks. Connect your wallet, select the chain, and see a list of every active approval with the approved amount and spender contract. Click Revoke on any approval you no longer need — each revocation costs a small gas fee. Alternatively, MetaMask now includes built-in approval management under the account menu. For Solana, use the token approval revocation feature in Phantom wallet settings. The cost per revocation is minimal — typically under a dollar on Layer 2 networks.
The best practice is to set exact approval amounts rather than unlimited when interacting with dApps. In MetaMask, you can edit the approval amount during the approval transaction. If you are swapping one hundred USDC, approve exactly one hundred instead of unlimited. Schedule a monthly audit of your approvals using Revoke.cash — review every active approval and revoke any for protocols you no longer use. Be especially vigilant about revoking approvals on unfamiliar or experimental protocols, and always revoke immediately if a protocol you have used announces a security incident.
Yes, each revocation is an on-chain transaction that costs gas. On Ethereum mainnet, this might cost two to five dollars per revocation. On Layer 2 networks like Arbitrum or Base, it costs less than a penny. If you have many approvals to revoke, consider doing it during low-congestion periods or on Layer 2 networks where the cost is negligible.
No, token approvals only apply to ERC-20 tokens, not to your native ETH balance. A malicious approval can drain your USDC, USDT, WETH, or any other token you have approved, but cannot touch your ETH directly. However, signed messages using eth_sign or permit2 signatures can potentially authorize ETH transfers — always read what you are signing carefully.
A monthly review is a good habit for active DeFi users. Check after using any new or experimental protocol. Revoke immediately after hearing about a hack or exploit on any protocol you have approved. Many security-conscious users revoke approvals as soon as they finish a transaction rather than leaving them open, accepting the minor inconvenience of re-approving next time.