mm-crypto-guide.com
Login
Independent review. This site is not the official website and is not affiliated with, endorsed by, or operated by the wallet vendor reviewed here. Never enter your seed phrase or private keys on any third-party site.

Token Allowances & Revoke Approvals in MetaMask: How and Why

Dustin Bennett Dustin Bennett
Try Tangem secure wallet →

Token Allowances & Revoke Approvals in MetaMask: How and Why

What is a token allowance? (quick primer)

A token allowance (an ERC-20 pattern) is an on-chain mapping that tells a token contract how many tokens a specific spender address may move using transferFrom. When you sign an "approve" call, you are updating that mapping: approve(spender, amount). Think of it like handing someone a signed cheque (but on-chain).

Under the hood it's simple: the token contract stores allowances[owner][spender] = amount. Many dApps ask for an unlimited token allowance (MAX_UINT256) to avoid repeated approve transactions. That saves you a signature later — but it also widens the attack surface. I've been using different workflows for months and, in my experience, unlimited allowances are the single most common mistake people make when using DeFi daily.

Why revoke approvals? Risks and trade-offs

Why should you revoke a token approval? Because any contract with a positive allowance can call transferFrom and move your tokens (within the approved amount). If the dApp or the aggregator has a bug, or if the dApp's private key is compromised, your allowance can be abused. (Yes — this happens.)

Trade-offs:

Try Tangem secure wallet →
  • Convenience: unlimited allowances avoid repeated approve txs. Good for frequent traders.
  • Security: more allowance = more risk. Less allowance reduces the attack surface.

So when should you act? Revoke approvals if you no longer use a dApp, if you granted an unlimited token allowance, or if a connected dApp looks suspicious. And do this before you notice anything wrong.

How approvals are created in MetaMask (approve contract MetaMask)

When you use a dApp to swap or stake tokens the dApp usually triggers an approve transaction. Your MetaMask popup will show a transaction to sign. That popup includes:

  • The token being approved
  • The spender address (contract that will be allowed to spend)
  • The amount or an "infinite" indicator (if the dApp sets MAX_UINT256)
  • Gas estimate and gas fee controls

If you accept, MetaMask signs and broadcasts approve(spender, amount). The contract-level allowance is now set. In my experience the critical mistake is approving without checking the spender address — always copy the spender address and verify it against the dApp's documentation or its verified contract on a block explorer.

placeholder: screenshot of MetaMask approval popup

How to check approvals (how to check approvals MetaMask)

MetaMask lists connected sites (the dApps you've connected to) in the wallet UI, but that list is not the same as on-chain allowances. To check token allowance values you must inspect the blockchain. Common options are:

  • Use an on-chain approval checker (e.g., Etherscan's Token Approval Checker). See [using-etherscan-with-metamask].
  • Use a trusted revoke UI that enumerates allowances for your address and chain.
  • Query the token contract directly and read allowances[owner][spender] if you're comfortable with developer tools.

Quick check (safe path):

  1. Find your wallet address in MetaMask (click Account name).
  2. Paste it into a token-approval checker or block explorer.
  3. Review spenders and amounts; flag any unlimited token allowance.

If you want a step-by-step revoke walk-through, see [how-to-revoke-approvals-step-by-step].

Step-by-step: revoke token approvals (how do I revoke token approvals)

There are multiple ways to revoke approvals. I prefer a clear checklist and a verified tool. Below are common methods with step-by-step actions.

Method A — Use a trusted revoke UI (recommended for most users)

  1. Open the revoke UI's website (verify domain carefully).
  2. Connect MetaMask (select the correct account and chain).
  3. The UI will list allowances for your address. Review spender addresses and amounts.
  4. Click "Revoke" or set allowance to 0 for the entries you don't want.
  5. MetaMask will prompt you to sign the revoke transaction.
  6. Confirm and wait for on-chain confirmation.

Method B — Use a block explorer (Etherscan) write contract

  1. Locate the token contract page on the explorer.
  2. Open the "Write Contract" tab and connect Web3.
  3. Find approve(spender, uint256) (often function #9).
  4. Enter the spender address and 0 as the amount, then submit.
  5. Sign via MetaMask. This writes approve(spender, 0) to the chain.

Method C — Call token contract directly via custom UI or script (advanced)

Use web3/ethers scripts or a developer UI to send approve(spender, 0). This is for advanced users who are comfortable handling RPC endpoints and private keys.

Note: If you use a hardware wallet with MetaMask, the revoke transaction will require confirmation on the device. See [hardware-wallets-with-metamask]. But remember — revoking still costs gas.

Comparison: methods to revoke (quick reference table)

Method Ease Typical cost (gas) Risk Best when...
Revoke UI (trusted) Easy Low-to-medium (one tx) Moderate — must trust domain You want a guided UI
Block explorer (Write Contract) Medium Low-to-medium Low — fewer third parties You prefer on-chain control
Manual script / RPC Hard Variable Low — you control code You are a developer

Gas, chains, and cost-saving tips

A single approve/revoke is an on-chain transaction. ERC-20 approve calls typically consume between ~40,000 and ~80,000 gas depending on the token implementation. To estimate ETH cost: multiply gas × (base fee + priority fee). Example: 50,000 gas × 20 gwei gives 1,000,000 gwei = 0.001 ETH (rough math).

Tips:

  • On Layer 2s and alternative EVM chains revoke txs are usually much cheaper. If your tokens live on an L2, revoke there.
  • If revoke cost is a concern and you plan to reuse the dApp often, consider lowering the allowance instead of revoking to zero.
  • Batch revokes are not available on all tools; you may need separate txs per spender.

And if gas spikes, delay non-urgent revokes.

Security checklist & practical tips

  • Always verify spender addresses on-chain before approving. Copy and paste; don’t rely on UI labels.
  • Revoke unlimited token allowance when you stop using a dApp.
  • Disconnect connected sites in MetaMask (this removes dApp connections but does not change on-chain allowances) — see [disconnect-connected-sites].
  • Prefer hardware wallet signing for large balances. See [hardware-wallets-with-metamask].
  • When connecting a third-party revoke UI, inspect the domain and reviews. (Phishing sites mimic revoke UIs.)
  • Keep your seed phrase offline. Recovery via seed phrase is the final fallback — see [seed-phrase-backup-recovery].

Who this guide is for (and who should look elsewhere)

This guide is for hot-wallet users who interact with DeFi, swap tokens, stake via dApps, or want to clean up old approvals. If you run programmatic bots or manage many addresses, a developer approach (scripts/infrastructure) will be faster. If you need maximum security for large holdings, consider moving assets to a hardware wallet or a smart contract wallet with session keys — but that changes the threat model.

But if you mostly use your phone, check out mobile-specific revoke flows in [metamask-mobile-ios-android] and confirm your workflow before connecting tools.

FAQ

Q: Is it safe to keep crypto in a hot wallet? A: Hot wallets are convenient for DeFi but have higher attack surface than cold storage. Use hot wallets for daily activity and hardware or cold storage for large holdings. See [security-checklist].

Q: How do I revoke token approvals? A: You can revoke by sending approve(spender, 0) on-chain using a revoke UI, block explorer write-contract, or a script. See [how-to-revoke-approvals-step-by-step] for a step-by-step guide.

Q: What happens if I lose my phone? A: Losing a device doesn’t expose your funds if your seed phrase is secure and the phone is locked. Restore your wallet with your seed phrase on a new device and revoke suspect approvals (and change passwords where relevant). See [seed-phrase-backup-recovery].

Conclusion & next steps

Revoke token approvals to reduce risk, especially after one-off interactions with a dApp or when you granted an unlimited token allowance. Revoke operations require an on-chain transaction, so weigh gas cost vs. exposure. In my experience, the small gas fee is often worth the peace of mind.

Want a clickable, step-by-step walkthrough? Head to [how-to-revoke-approvals-step-by-step] or review revoke options in [token-approvals-revoke]. If you need help inspecting a specific approval, review techniques in [using-etherscan-with-metamask] and follow the [security-checklist] before you sign.

Stay cautious, and always verify spender addresses before you approve.

Related: [token-management], [metamask-mobile-ios-android], [hardware-wallets-with-metamask]

Try Tangem secure wallet →