mm-crypto-guide.com
Login
Independent review. This site is not the official website and is not affiliated with, endorsed by, or operated by the wallet vendor reviewed here. Never enter your seed phrase or private keys on any third-party site.

Token Approvals & Safety: Revoke Dangerous Allowances

Dustin Bennett Dustin Bennett
Try Tangem secure wallet →

Introduction

Token approvals (also called token allowances) are a fundamental part of using DeFi with a software wallet (hot wallet). They let a smart contract move ERC‑20 tokens from your account when you click "approve" on a dApp. But that convenience carries risk if allowances are left open or set to the maximum (an "unlimited token allowance").

In my experience, most people misunderstand one key fact: disconnecting a connected site in the wallet UI does not remove on‑chain allowances. And yes, that mistake can cost real funds.

This guide explains what token approvals are, how to find them, and practical steps to revoke dangerous allowances with MetaMask — both in the browser extension and on mobile. If you want a step-by-step walkthrough, also see our dedicated guide: How to revoke approvals — step by step.

What is a token approval (token allowance)?

When you click "approve token" in a dApp, your software wallet creates an on‑chain allowance record: the token contract stores how many tokens a specific spender (the dApp's smart contract) is allowed to transfer from your account. This is the ERC‑20 allowance pattern (token allowance). Approvals can be for a specific amount or for the maximum uint256 (commonly called "unlimited approval").

Try Tangem secure wallet →

Why does unlimited approval exist? It avoids repeated approve transactions when you interact frequently with a protocol. But it also means a compromised contract or an attacker who controls the spender address can drain approved tokens without further permission.

(Short technical note: revocation is implemented on‑chain by calling approve(spender, 0) or by replacing the allowance with a new value.)

Why revoking approvals matters (real risks)

  • Unlimited token allowance MetaMask users create is commonly exploited after a dApp gets hacked or a token aggregator proves malicious.
  • Disconnecting a dApp in MetaMask stops the injected provider connection but does not modify on‑chain allowances. Don't assume it does.
  • WalletConnect sessions can remain active on the dApp side even after you close a tab.

Have you ever connected MetaMask to scam site and later noticed odd transactions? If so, you should immediately check allowances and follow recovery steps: see /compromised-wallet-what-to-do.

How to check your allowances — fast checklist

  1. Open MetaMask and review Connected sites. This removes the site-level connection but not on‑chain approval.
  2. Use an allowance checker (examples cited in the step-by-step below) to enumerate approvals per chain.
  3. For each spender address, verify on a block explorer using Using Etherscan with MetaMask.
  4. Revoke or reduce approvals for unknown or high-value allowances.

Tip: When in doubt, revoke to zero. You can re‑approve a safe amount later.

Step-by-step: Revoke approvals (desktop/browser extension)

  1. Open your browser with MetaMask extension unlocked.
  2. Navigate to a reputable token-allowance manager (or use a block explorer's approval-checker). Connect with the MetaMask extension (injected provider).
  3. The tool will list spender addresses and allowances. Look for unusually large amounts or unknown contracts.
  4. Click "Revoke" (or set allowance to 0). The tool will create an on‑chain transaction. Confirm it in MetaMask.
  5. Wait for confirmation and verify the allowance is now zero on the block explorer.

Important notes:

  • Approve transactions and revocations cost gas on the chain you’re using. This can be cheap on L2s but expensive on Ethereum mainnet.
  • If a contract shows an unlimited allowance, use the tool's "revoke unlimited approval MetaMask" option (sets allowance to 0) rather than attempting manual contract calls unless you're confident.

For a full, click‑by‑click walkthrough see: How to revoke approvals — step by step.

Step-by-step: Revoke approvals (MetaMask mobile)

Mobile is the most common daily form factor for many users. In my experience, the in‑app browser makes revocation possible without moving to desktop:

  1. Open the MetaMask mobile app and unlock your account. (If you prefer, you can also use WalletConnect to connect a desktop site to your mobile wallet — guidance at /walletconnect-guide and /connect-to-dapps-walletconnect).
  2. Use the mobile browser to open an approvals manager or block explorer approval checker.
  3. Connect and review the list of token allowances tied to that account.
  4. Revoke suspicious allowances by confirming the transactions in the MetaMask mobile approval flow.

But remember: mobile network performance and UI differences can make confirmation slower. Double-check the spender address before confirming.

Gas, batching, and account-abstraction notes

  • Gas: On Ethereum mainnet a single approve/revoke can cost a non-trivial amount during congestion. On Layer 2 networks costs are usually lower (L2 savings). Always verify gas estimates before confirming.
  • Batching: Standard EOAs require one transaction per token-spender pair. If you have dozens of approvals, batching requires either a trusted aggregator or a smart-contract wallet that supports batched transactions.
  • Account abstraction / smart-contract wallets: these can allow gasless or batched revocations (if configured). See /account-abstraction-smart-contract-wallets for options.

Best practices to reduce approval risk

  • Approve exact amounts when possible. Avoid unlimited approvals for tokens you use rarely.
  • Revoke approvals after one-off interactions (airdrop claimers, small tools, or unfamiliar aggregators).
  • Use hardware wallets for high-value interactions (see /hardware-wallets-with-metamask).
  • Regularly audit your allowances (monthly if you use many dApps). I do this on the first Monday of each month.
  • If you suspect your wallet was connected to a scam, follow the steps at /compromised-wallet-what-to-do and secure your seed phrase as described in /seed-phrase-backup-recovery.

Quick comparison: extension vs mobile for revoking

Method Typical steps Pros Cons
Browser extension Connect to approvals tool → Revoke → Confirm in MetaMask (3–5 clicks) Easier address inspection, desktop block‑explorer side‑by‑side Must trust the third‑party tool; gas cost on-chain
Mobile (in‑app) Open in‑app browser → Connect → Revoke → Confirm Convenient on the go, WalletConnect support Smaller UI, accidental taps more likely; network latency can delay confirmations

Approval manager screenshot placeholder

Common mistakes I've made (and how I fixed them)

I once accepted an "approve unlimited" checkbox while rushing to try a new aggregator. Within 24 hours I saw a suspicious transfer attempt (blocked), and I had to run multiple revoke transactions to be safe. Lesson learned: always uncheck unlimited approvals and verify the spender address before approving. I now keep a small test token balance to trial new dApps before approving larger amounts.

FAQ

Q: Is it safe to keep crypto in a hot wallet? A: Hot wallets trade some security for convenience. They’re fine for daily DeFi interactions, but for large long-term holdings use a hardware wallet or move funds to cold storage. See our /security-checklist for specifics.

Q: How do I revoke token approvals? A: Use an approvals checker or block explorer approval tool, connect MetaMask, and send approve(spender, 0) transactions for the risky allowances. Step-by-step here: /how-to-revoke-approvals-step-by-step.

Q: What happens if I lose my phone? A: Losing the device doesn’t expose funds if the seed phrase and private keys were not stored on the phone. Immediately follow /compromised-wallet-what-to-do and restore to a new device using your seed phrase if needed.

Q: I connected MetaMask to a scam site — what should I do? A: Disconnect the site in MetaMask, then revoke on‑chain allowances for any token approvals granted to that contract. Review /disconnect-connected-sites and then revoke allowances with the steps above.

Conclusion & next steps

Token allowances are a normal part of DeFi, but they require active management. In my experience, regular audits and removing unlimited approvals reduce risk dramatically. Start by checking your connected sites and run an approvals audit today.

Next actions:

If you want, take five minutes now to open MetaMask and confirm your largest allowances. You'll sleep better tonight. And if you’re unsure about a contract address, double‑check it on the block explorer before taking action.

Try Tangem secure wallet →