When you use Web3 apps and protocols, you will first be asked to sign an “allowance” transaction. This is a spending limit that you set for smart contracts on DEXs like Uniswap and Matcha, or NFT marketplaces like Opensea, so they can use your funds to execute the trade.

Each time an allowance is given, an onchain transaction is submitted, which means you need to pay a gas fee. Many applications request that you make an unlimited approval once instead of every time you use the dApp or protocol, to make it cheaper. But that app is then permanently granted unrestricted access to your funds, which poses a security risk - even if you use a hardware wallet! 

Avoid allowance exploits altogether with Permit2 approvals in Matcha!

Enabling infinite allowances is risky, but it’s often the only way to get the job done. If one of the smart contracts you have approved gets exploited, the hackers will be able to spend any tokens you’ve previously granted access to. 

Revoking permissions and setting limited allowances is an essential practice which helps ensure the safety of your wallet and assets. There are various ways to revoke token approvals, so read on to learn how to stay safe!

Revoke allowances to prevent unauthorized spending

Knowing how to revoke allowances in your wallet is important, but the process is different from wallet to wallet. Some wallets now let you revoke smart contract permissions directly from the settings menu, but many wallets will only disconnect from the app without revoking the token approvals. Let’s explore how to revoke allowances using the most popular DeFi wallets. 

Note that revoking a contract costs gas. If you aren’t asked to sign a transaction and pay gas you are not revoking permissions, you are only disconnecting the app, which can still leave you vulnerable.

Revoke token permissions in Rainbow Wallet

To revoke approvals and allowances in Rainbow Wallet, you will need to use the browser extension:

1. Open your Rainbow wallet extension.
2. Press the three dots and select Settings from the dropdown.
3. Open the Approvals menu to see your approval history.
4. Click Revoke to review access for any individual contract and complete the process by pressing Revoke again. 

Revoke token allowances with Coinbase Wallet

With the Coinbase Wallet extension, the process of revoking token allowances connections is as follows: 

1. Open your Coinbase Wallet extension and click on Settings.
2. Choose the Wallet you want to revoke and then select Token Allowances.
3. Select a token allowance you’d like to revoke by clicking Revoke. 
4. Confirm the transaction and accept the network fee.

Coinbase’s blog also suggests using Revoke.cash for revoking smart contracts. Read more about this tool below.

Revoke smart contract allowances with Metamask

Metamask recently added a feature to Metamask Portfolio which allows you to revoke token allowances using the Spending cap tab on your Portfolio dashboard. This lets you see any open approvals and revoke them directly using your Metamask wallet.

1. Go to portfolio.metamask.io and connect your wallet.
2. Open the Spending Caps tab.
3. Choose an open allowance and click Revoke, then sign the transaction.

Another option for Metamask users is to use Metamask Snaps, plugins that allow you to extend the functionality of your Metamask wallet. One plugin available for this use case is Revoke Snap, which was built at the ETHWarsaw Hackathon specifically to allow users to revoke token allowances for smart contracts. As with third party apps above, it is likely safer to use the Portfolio Spending Cap feature instead. 

Revoke token allowances using third-party apps

Third-party tools such as Revoke.cash are also popular methods for revoking smart contract permissions. These tools focus on streamlining the process of revoking unlimited token approvals, and can be a useful alternative if your wallet doesn’t have its own revoke function built-in.

It is important to be wary when using these third-party tools, as they could easily be used in phishing attacks, or otherwise be compromised in a way that allows an attacker to grant new permissions instead of revoking them. 

Revoking smart contract approvals with Revoke.cash

To see a list of smart contract allowances you have approved, you can use the revoke.cash website, which also lets you filter by amounts and lets you individually revoke approvals. To revoke a smart contract approval on Revoke: 

1. Connect your wallet to see and filter your approvals. 
2. Click Revoke and sign the transaction with your wallet, to cancel token approvals for smart contracts you no longer use or have large amounts of tokens exposed to.

Revoke also keeps track of Web3 approval exploits that lets you check if you were exposed in a specific smart contract hack. 

While Revoke is a popular option to revoke smart contract token allowances, it was affected by a supply chain attack when the Ledger connect kit library was exploited. This vulnerability allowed an unauthorized party to publish a malicious version that affected hundreds of applications and asked users to sign malicious transactions. For that reason, you should always be cautious if using a third party service to manage contract approvals. 

Revoke allowances with Etherscan

Etherscan block explorer also has a token approvals tool available in Beta. By connecting your wallet, you can browse and revoke contract permissions and allowances.

1. Click Connect to Web3. 
2. Choose a token from the list and click Revoke to see details. 
3. Click Revoke again and sign the transaction using your wallet. 

Note that in testing, this tool only showed 1 active approval, compared to 5 on Revoke and 26 when checked directly through Rainbow Wallet. That means that even if you revoke contracts, it is best to double check on other apps that you have revoked every approval.

Other third-party apps to revoke allowances

With the rise of exploits affecting unlimited amart contract token approvals, many other third party tools have been built to make it easy to revoke allowances and prevent smart contracts from unauthorized spending of funds from your wallet. 

While they may not be inherently malicious, it is always advisable to exercise caution when interacting with any app, and only sign a transaction if you are absolutely certain that you know what it will do. 

Here is a list of other third-party services that offer similar services to Revoke:

• Unrekt (multiple networks)
• approved.zone (Ethereum mainnet)
• Cointool (multiple networks)
• beefy.finance (BSC/BNB Smart Chain)
• EverRevoke (multiple networks)

Does Permit2 prevent token allowance exploits?

Permit2 is a smart contract standard that addresses some of the challenges of wallet permissions and approvals to protect your crypto. Through Permit2, users only have to approve one smart contract that handles sub-approvals for other contracts. Approvals in this system typically come with expiry periods, eliminating manual revocation needs and thereby reducing risk. Additionally, Permit2 supports gasless approval for all tokens.

Permit2, however, also has its shortcomings. Multi-token approvals can make it more difficult for people to understand what they are signing up for, leaving them susceptible to phishing attacks. And although Permit2 approvals expire, tokens can still be spent without your permission during the time-limited-approval period. 

Paraswap’s Augustus exploit is an example of a DEX that had users' assets stolen after interacting with their V6 contract, where despite using Permit2, some approvals were still active at the time of the hack and were spent without users’ permission. Where Permit2 is implemented with time-based approvals, revoking allowances remains important for Web3 users. 

An alternative to this Permit2 implementation is to remove the time-based authorization entirely, and only allow for one-time approvals. Matcha on 0x v2 uses Permit2 in a specific configuration that only allows one-time approvals to keep funds safe at rest so they can not be spent without your explicit authorization.

Wallet security is improving

A lot of attention has been given to the issue of unlimited token allowances, and wallet companies are beginning to catch up with inbuilt features that allow you to revoke smart contract access. Even so, it can be costly to sign multiple revocation transactions and it remains too inconvenient for most casual Web3 users.

Permit2 solves some but not all of the issues related to smart contract allowances. A more strict implementation of Permit2 with one-time allowances instead of time-based allowances may help protect the billions of dollars of tokens which are currently exposed. 

Users will always need to take steps to ensure the safety of their wallets, but it is only as an industry led by user-first design that we will be able to progress and make crypto safe and convenient. New tools and methods of revoking access have been developed to keep your funds safe, and Matcha is leading the way with security innovations in Permit2 and AllowanceHolder, helping eradicate these types of exploits entirely.