Note: smart contract allowances are different from simply connecting your wallet to a dapp. For information on disconnecting your wallet from dapps, see here.
Smart contract allowances, also referred to as approvals, involve you allowing dapps to access and move tokens in your wallet on your behalf. When you use a DEX (decentralized exchange), for example, you'll need to sign an approval that allows its smart contract to take tokens to complete your requested trades. Whilst this sounds inherently risky, bear in mind that giving dapps at least some allowance is always necessary. If you want to use Web3, you won't be able to avoid them.
Revoking approvals vs. disconnecting apps: what's the difference?
It's easy to confuse these two processes, but they are fundamentally different:
- Disconnecting your wallet from a dapp involves cancelling permission for it to see your public address and your token balances, and, depending on what you originally consented to, stopping it from initiating transactions (although not executing them) and viewing past activity. See our article for more info.
- Revoking an approval/allowance means a dapp can no longer access the contents of your wallet and move them around.
See also: our Twitter thread covering the distinction between these two actions.
How do I revoke approvals?
The good news is there are several ways to keep track of your existing approvals and easily revoke them:
- Head to the 'approval checker' section of the block explorer for the network you're using. For example, Etherscan, BscScan and Polygonscan all have a token approval checker function.
- Use a platform such as Revoke, Unrekt, or approved.zone.
Look, we know how it is: there's always a new dapp to try. Those juicy yields and new games aren't going to find themselves. The only problem is that this can quickly rack up a long list of token allowances, potentially making you vulnerable to hackers or scams. This is why it's a good idea to develop a habit of regularly checking your token approvals--e.g. monthly--and weeding out any you're unhappy with.
Unfortunately, token approvals are a common attack vector for both hackers and scammers: the former can sometimes locate and exploit vulnerabilities in a smart contract's code (this happened to Wormhole, an Ethereum <-> Solana bridge, for example) and the latter can occur through rugpulls.
This is because token approvals often request unlimited access to your tokens. If a hacker or fraudulent smart contract owner is able to leverage this, they can theoretically drain your wallet of the tokens you've allowed access to. To this end, MetaMask allows you to customize token permissions.