tl;dr: MetaMask allows you to manually edit the number of tokens dapps can access. Click here to jump straight to how.
What is the point of token allowances?
When you interact with any dapp that involves your ERC-20 token holdings in some way or another, you're likely to have to approve its access to that token's smart contract (the same applies for ERC-20 equivalents on other chains, such as BEP-20 on BNB Chain). Then, when you decide, for example, to add 1,000 of token A and 1,000 of token B to a liquidity pool, the dapp already has your permission to take the necessary quantity of tokens straight out of your wallet, and all you have to do is confirm the transaction.
Token allowances are specific to one token. That means that if you've granted an allowance for a dapp to access your USDT, for example, it is only USDT that it can access.
In most cases, token allowances that exceed what you need for any single transaction are very convenient; it would be time-consuming to have to grant permission anew for every transaction you wish to make on the dapp. Pre-approving access to a number of tokens at once is, therefore, something of a quality of life feature that makes your web3 activities smoother.
Customizing token allowances in MetaMask
For various reasons including preserving your control and agency, as well as giving you the tools to protect yourself from one of the most common scam attack vectors around, MetaMask enables you to customize how many tokens you allow dapps to access.
How? Well, when you come across a request to grant access to your tokens, a MetaMask approval window will appear, looking something like this:
In this case, we're trying to add MATIC and ETH to a liquidity pool on Uniswap. The contract address shown is Uniswap's.
Click 'Edit Permission' to get some more details on what Uniswap is requesting to access:
A few things to note here:
- At the top, you'll see the total amount of the token that your wallet holds.
- 'Proposed Approval Limit' is the request that Uniswap is making. In this case, it wants to be able to access a number so large that it's written in scientific notation (also known as E notation). If we were to write this number out in full, it would be 60 digits long — essentially an unlimited amount.
- 'Custom Spend Limit' is where you can tailor the token allowance according to your preferences.
As of Mobile v5.3.0, the amount you're approving is displayed on the initial approval screen, without you having to tap 'Edit permission'.
It's that simple:
- On Extension: under 'Custom Spend Limit', input your preferred cap on how much the dapp can access, make sure you've checked the toggle next to it, and then click 'Save'.
- On Mobile: tap 'Edit permission', input your preferred amount, and hit 'Set'.
For clarity, the number you're inputting here is the token amount: so if we input, say, 100, that would mean 100 MATIC in this context.
Token allowances are an essential part of web3, and issuing virtually unlimited approvals is also not problematic in itself: most of the time, it makes your life easier and reduces how much gas you're paying (since you need to pay for each separate approval). However, dapps are rarely ever completely secure from exploits and hack attempts, and having an unlimited token allowance in place may put you at risk of theft. If the dapp has a vulnerability in its code, it may be possible that bad actors can exploit it and order the dapp to withdraw your funds without you requesting it.
Equally, it's also possible that the site from which the token approval request originates is malicious. This is the more common form of attack: you visit a site designed to look like another, more trustworthy site or brand, and it's this trust that gets exploited. In these cases, your tokens can be stolen as soon as you send the approval transaction.
To prevent yourself becoming a victim of this, there are two potential methods you could adopt:
- Never grant unlimited (astronomically high) allowances.
- Grant unlimited allowances to trusted sites from time to time, but frequently check in and revoke them to keep on top of who and what has access to your tokens.
Both are viable, but option 1 is the safest.
Additionally, you should always do your due diligence on any site to which you grant token allowances. Sometimes, if the dapp itself was deployed by a bad actor out to steal your funds, it doesn't even have to be exploited for you to become a victim: as soon as you click 'approve' on the token, they can drain your wallet of that token. See our Twitter thread on this subject for additional context.
For more information on token approvals, here are some more resources: