What is smart contract approval?
When users interact with the smart contract, the contract often asks for approval of certain tokens.
To be more precise, when swap LINK for USDT in Uniswap, users need to approve Uniswap’s smart contract to access LINK, so that the contract is authorized to transfer a certain amount of LINK from the user’s account. The amount of authorized tokens can be customized by users, and the maximum is unlimited.
Every time the approved contract transfers tokens out, the corresponding token amount will be deducted from the sum of authorized tokens in user’s account. When the quantity of authorized tokens is less than the amount that the user needs to sell, the approval process is needed again.
Why is smart contract approvel risky?
As mentioned above, once the contract is approved, it can transfer the corresponding tokens out from your account directly without the permission of private key (Note that the approval process is signed by users’ private key already). Thought it depends on how the smart contract code is written when it comes to the specific token amount and time for transfer.
If the smart contract contains malicious code, the contract can be controlled by a super administrator account for example, that means this account can take away the authorized tokens in your account at any time.
Except the top Dapps like AAVE, Compound, and so on, it is difficult for users to distinguish which projects contain malicious code in the numerous Dapps. What makes it worse is, users usually set the unlimited authorized token amount to smart contract for their own convenience, which can directly lead to security risks.
How to deal with smart contract approval risks?
- Learn to approve smart contract correctly. Only allow contracts that you absolutely trust and requiring frequent use for unlimited approval. For newly launched Dapps, we recommend to only approve the required token amount each time for the seek of security.
- Clear up your approval history, or directly transfer the remaining assets to a new account.
Go Pocket smart contract approval management feature will be RELEASED soon
Through the contract approval management feature in Go Pocket, you can view which Dapp has been approved for which tokens and quantities, so that users can cancel smart contract approval or reduce authorized token amount directly from your crypto wallet.
For ease of use or without fully understanding of the consequences , users usually set an unlimited authorized token amount for smart contract, this is just where the security risks located.