Approval front-running is a security exploit that targets the approve function in token smart contracts, such as those following the ERC-20 standard. When a user grants a dApp (decentralized application) or a smart contract permission to spend their tokens, they broadcast a transaction to the network. A malicious actor, known as a front-runner, can monitor the public mempool for these pending approval transactions. By paying a higher gas fee, the attacker can get their own malicious transaction—which calls the same approve function but sets the spender to an address they control—included in a block before the user's legitimate transaction. This effectively steals the spending authority the user intended to grant.
LABS
Glossary
Approval Front-Running
Approval front-running is a blockchain attack where a malicious actor intercepts and exploits a user's token approval transaction before it is finalized.
Chainscore © 2026
definition
SECURITY VULNERABILITY
What is Approval Front-Running?
Approval front-running is a blockchain exploit where an attacker intercepts and exploits a user's token approval transaction before it is finalized.
The core vulnerability exploited is the race condition between the user's intended approval and the attacker's malicious one. The standard approve function typically overwrites any existing allowance. Therefore, whichever transaction is confirmed last dictates the final approved spender. If the attacker's transaction is mined first, the user's subsequent transaction will overwrite the attacker's address with the intended dApp's address, seemingly correcting the issue. However, in the brief window between the two transactions, the attacker can immediately execute a transferFrom operation to drain the user's tokens up to the newly set allowance limit.
To mitigate this risk, developers have implemented safer approval patterns. The most common is the increaseAllowance/decreaseAllowance pattern introduced in later ERC-20 implementations, which modifies an existing allowance rather than overwriting it. For users, best practices include: - Setting allowances only to the exact amount needed for a transaction. - Using a time-bound allowance where supported. - Revoking unused approvals via tools like Etherscan's Token Approval Checker. - Considering the use of private transaction relays (e.g., Flashbots) to avoid exposing transactions to the public mempool where front-running occurs.
how-it-works
SECURITY VULNERABILITY
How Does Approval Front-Running Work?
Approval front-running is a blockchain-specific exploit where a malicious actor intercepts and exploits a pending token approval transaction before it is finalized.
Approval front-running, also known as an approval phishing or infinite allowance attack, exploits the public and pending nature of transactions in a blockchain's mempool. When a user signs a transaction granting a smart contract permission to spend their tokens (an approve() call), that transaction is broadcast to the network and sits in the mempool before being mined. A malicious bot monitors the mempool for these specific transactions. Upon detecting one, the attacker quickly submits their own transaction with a much higher gas fee, aiming to have their transaction processed first by the network's validators or miners.
The attacker's transaction is a malicious call to the same approve() function, but it changes the spender address parameter from the legitimate, intended contract to an address the attacker controls. If the attacker's transaction is mined first, it overwrites the user's original approval, granting the attacker's address unlimited (or a very high) spending allowance for the user's tokens. The user's original, legitimate transaction then fails or is mined afterward, but it is often irrelevant as the attacker has already gained control. This exploit capitalizes on the race condition created by transaction ordering based on gas price.
A classic example is a user interacting with a new decentralized exchange (DEX). The user signs an approval to allow the DEX router to spend 10 UNI tokens. An attacker sees this, front-runs it with a higher gas fee, and changes the approval to grant the attacker's wallet an allowance for 10,000 UNI tokens. The attacker then immediately uses a transferFrom() call to drain the user's full UNI balance. This attack is distinct from sandwich attacks on trades, as it targets permission-granting transactions directly rather than manipulating liquidity pool prices.
To mitigate approval front-running, developers and users must adopt specific security practices. Users should revoke unused approvals regularly using tools like Etherscan's Token Approvals checker. For new interactions, they should use the increaseAllowance() and decreaseAllowance() functions if available, as these are safer than approve(). Furthermore, using permit signatures (EIP-2612) for gasless approvals or setting time-bound allowances can reduce exposure. Wallets can also implement warnings for approvals to unknown or high-risk contracts, adding a crucial layer of user scrutiny before a transaction is signed and broadcast to the vulnerable mempool.
key-features
MECHANISM
Key Characteristics
Approval front-running is a specific type of transaction ordering attack where an attacker exploits a pending, overly permissive token approval to steal funds before the user can cancel it.
01
The Approval Transaction
The attack vector originates when a user signs a transaction granting a smart contract permission to spend their tokens. A common vulnerability is an infinite approval, granting unlimited access rather than a specific amount. This transaction is broadcast to the public mempool.
02
Mempool Surveillance
Attackers run bots that monitor the mempool for pending approval transactions. They analyze the transaction data to identify the token contract, spender address (often a malicious contract), and the allowance amount. High-value approvals or approvals to unknown contracts are prime targets.
03
Transaction Replacement
Using a higher gas price (via techniques like Gas Price Auction), the attacker submits their own transaction that calls the transferFrom function. This transaction is mined before the user's original approval, exploiting the permission the moment it is confirmed on-chain. The attacker's transaction must be crafted to execute immediately after the approval block.
04
Theft Execution
The attacker's contract uses the newly granted approval to transfer the maximum allowed tokens from the victim's wallet to an address they control. If the approval was for an infinite amount, the attacker can drain the victim's entire balance for that token. The victim's original approval transaction is then redundant and fails or is canceled.
05
Key Vulnerability: Pre-Confirmed State
The core issue is that the authorization state (the allowance) becomes valid the instant the approval transaction is included in a block, but the user's awareness and ability to react are delayed. This creates a race condition where the attacker's transaction can be the first to act on the new state change.
06
Mitigation: Revoke & Re-approve
The standard defense is to first send a transaction setting the allowance to zero (a revocation) for a spender, then a second transaction with the new, specific allowance. This ensures any pending malicious approval transaction from a previous interaction will fail, as it attempts to spend from a zero allowance.
security-considerations
GLOSSARY TERM
Security Considerations & Risks
Approval front-running is a security exploit where a malicious actor monitors the mempool for pending token approval transactions and submits their own transaction with a higher gas fee to execute a malicious transfer before the legitimate approval is processed.
01
Core Mechanism
The attack exploits the public nature of the mempool and Ethereum's gas auction mechanism. An attacker uses a bot to detect a user's pending approve() or increaseAllowance() transaction, which grants a spender (like a DEX router) permission to move tokens. The attacker then immediately submits a transaction calling transferFrom() from a malicious contract they control, paying a higher gas price to ensure their transaction is mined first, draining the approved amount.
02
The Infinite Approval Risk
A major vulnerability is granting infinite approval (e.g., approve(spender, type(uint256).max)). This common UX pattern eliminates the need for repeated approvals but creates a persistent, high-value target. If front-run, the attacker can drain the entire token balance for that contract, not just a single transaction amount. This makes the impact of a successful front-run catastrophic.
03
Mitigation: Use `permit()`
The ERC-2612 permit function for ERC-20 tokens allows approvals via off-chain EIP-712 signed messages, eliminating the need for an on-chain approve transaction. Since the signature is created off-chain and submitted with the spend transaction in a single atomic call, there is no pending approval for an attacker to front-run. This is the most robust solution for compatible tokens.
04
Mitigation: Use `increaseAllowance()` & `decreaseAllowance()`
For standard ERC-20 tokens, use the increaseAllowance() and decreaseAllowance() functions instead of approve(). These functions modify the existing allowance by a delta, preventing the race condition inherent in approve() where a second call can reset the allowance. However, the initial allowance-setting transaction can still be front-run if it sets a large amount.
05
User Best Practices
- Revoke unused approvals: Regularly check and revoke old approvals using tools like Etherscan's Token Approval Checker.
- Set specific allowances: Approve only the exact amount needed for a transaction, not an infinite amount.
- Use private transactions: For sensitive approvals, consider using services that offer private transaction bundling or Flashbots to avoid the public mempool.
- Monitor gas prices: Be wary of setting approvals during periods of high network congestion and volatile gas prices.
06
Historical Context & Impact
This attack vector gained prominence with the rise of DeFi and the Uniswap V2 router, which required token approvals. A notable real-world example is the Uniswap/Lendf.Me hack (April 2020), where an attacker exploited a related ERC-777 token callback vulnerability, but front-running was a core component of the attack chain, allowing the theft of $25 million. It highlights the critical need for secure approval patterns.
visual-explainer
MECHANISM
Visualizing the Attack Flow
This section details the precise, step-by-step sequence of an approval front-running attack, breaking down the technical interactions between the victim, the attacker's bot, and the blockchain network.
An approval front-running attack is a multi-step exploit that unfolds in a predictable sequence on the blockchain. It begins when a user, the victim, signs a transaction granting a token approval to a legitimate but vulnerable smart contract, such as a DEX router or a lending protocol. This transaction is broadcast to the mempool, where it becomes visible to network participants. The attacker, running a specialized sniping bot, continuously scans the mempool for these specific approval transactions, which are identifiable by their function signature and target contract address.
Upon detecting a target transaction, the bot's core function is transaction replacement. Using a higher gas price or a priority fee, the attacker immediately submits a malicious transaction designed to interact with the same vulnerable contract before the victim's approval is finalized. This malicious transaction typically calls a function—like transferFrom—that utilizes the newly granted but not-yet-executed approval. Due to the fee-based ordering of transactions in blocks, the attacker's higher-paying transaction is mined first, creating a critical race condition on-chain.
The attack concludes with the asset drain. Because the victim's approval transaction is processed after the malicious call, the smart contract logic executes the attacker's withdrawal request using the freshly authorized allowance. The attacker successfully transfers the victim's tokens to a controlled address, and the original, now-spent approval is finalized, often leaving the victim confused by an empty wallet despite the approval appearing to go through normally. This flow highlights the inherent risks of permissionless mempools and the finality of smart contract interactions once initiated.
examples
APPROVAL FRONT-RUNNING
Real-World Examples & Context
Approval front-running exploits the gap between a user's signature and a transaction's execution, allowing attackers to intercept and manipulate token allowances. These examples illustrate how the vulnerability manifests in practice.
01
The Uniswap Permit2 Exploit (2022)
A sophisticated attack vector emerged with the Permit2 contract, a gasless token approval standard. Attackers monitored the mempool for EIP-712 permit signatures, which grant token spending allowances off-chain. They would front-run the intended transaction, submitting their own malicious transaction using the same signature to drain the user's approved tokens before the legitimate swap could execute.
02
The ERC-20 Approval Race Condition
This classic example occurs when a user interacts with a dApp that requests an unlimited or large token approval. An attacker, watching the mempool, sees the pending approve() transaction. They immediately submit a transaction to transfer the newly approved tokens to their own address, offering a higher gas fee to ensure their transaction is mined first, leaving the user with a zero balance.
03
Malicious DApp UI Spoofing
Attackers create fake interfaces that mimic legitimate dApps. When a user connects their wallet, the malicious site prompts for a token approval. Unbeknownst to the user, the approval is crafted for the attacker's contract address. The attacker then front-runs any subsequent user action by immediately executing a transfer using the granted approval, a tactic that combines phishing with mempool surveillance.
04
The Revoke.cash Incident
Highlighting the risk even for security tools, attackers targeted users of the Revoke.cash service. They monitored for transactions where users were attempting to revoke old, unused token approvals. The attacker would front-run the revocation transaction with their own transfer transaction, exploiting the still-valid approval in the brief window before it was removed, stealing any remaining allowance.
05
Mitigation: Use Permit2 & Smart Wallets
Modern solutions aim to eliminate the attack surface. The Permit2 contract allows for gasless, time-bound, and single-use signatures, reducing the window for exploitation. Smart contract wallets (like Safe or Argent) can implement security modules that require explicit user confirmation for specific allowances, moving beyond simple EOA signatures.
06
Mitigation: Revoke Unused Approvals
A critical user-level defense is proactive management of token approvals. Users should:
- Regularly audit active approvals using tools like Etherscan's Token Approval Checker.
- Revoke approvals for dApps they no longer use.
- Avoid granting unlimited approvals; instead, approve only the exact amount needed for a transaction.
- Use wallets that offer simulation and warning features for risky approvals.
prevention-mitigation
APPROVAL FRONT-RUNNING
Prevention and Mitigation Strategies
Approval front-running is a malicious exploit where an attacker intercepts and executes a transaction before a user's intended transaction by manipulating transaction ordering, often to steal assets via excessive token approvals.
The primary defense against approval front-running is the use of revocable approvals with spending limits. Instead of granting an infinite (type(uint256).max) allowance, users should approve only the exact amount needed for a specific transaction. Modern wallet interfaces and security tools often prompt users to set a custom limit. Furthermore, employing deadline parameters in decentralized exchange interactions can invalidate a transaction after a set time, preventing a captured transaction from being executed later under unfavorable conditions.
On the technical layer, gas optimization and private transaction relays are critical. Submitting transactions with competitively high gas prices can reduce the time window for front-running, though this is costly. More effectively, using services like Flashbots Protect or TxFlash, which submit transactions directly to miners/validators via a private mempool, prevents them from being visible in the public mempool where they can be targeted. Developers can also implement commit-reveal schemes, where a user first submits a hashed intent, obscuring details until the final execution transaction.
For smart contract developers, architectural patterns like pull-over-push payments and the Checks-Effects-Interactions pattern are vital for internal state safety, but specific to approvals, integrating permit signatures (EIP-2612) allows token approvals via off-chain signatures that are used in a single transaction, eliminating the standing approval vulnerability entirely. Regular approval revocation via tools like Revoke.cash or Etherscan's Token Approval tool is a crucial user habit to minimize exposure from past, unused approvals.
EXTRACTABLE VALUE MECHANISMS
Comparison: Approval Front-Running vs. Related MEV
Contrasts the specific attack vector of approval front-running with broader, related forms of Maximal Extractable Value (MEV).
| Feature / Dimension | Approval Front-Running | Generalized Front-Running (e.g., DEX Arb) | Sandwich Attack |
|---|---|---|---|
Core Target | ERC-20 token approval | Pending transaction in mempool | Pending DEX trade in mempool |
Primary Vector | Spender address modification | Transaction order manipulation | Transaction order manipulation |
Extraction Method | Direct token transfer via approval | Arbitrage between venues | Surrounding victim trade with own orders |
Required Permission | Initial user approval (misused) | None (public mempool) | None (public mempool) |
Victim's Loss | Up to full approved amount | Slippage / worse price | Slippage / price impact |
Seeker's Gain | Stolen tokens | Arbitrage profit | Spread capture from victim |
Prevention Focus | Revoke unused approvals, use permit2 | Private RPCs (e.g., Flashbots Protect), commit-reveal | Private RPCs, higher slippage tolerance |
APPROVAL FRONT-RUNNING
Common Misconceptions
Clarifying widespread misunderstandings about the security risks and mechanics of token approvals in decentralized finance.
Approval front-running is a security exploit where a malicious actor monitors the public mempool for pending transactions that grant a token approval to a smart contract and then submits their own transaction with a higher gas fee to be processed first. The attacker's transaction is a malicious request for the user to grant an infinite approval (or a very high allowance) to a different, attacker-controlled contract. If the user has already signed the legitimate approval transaction, they may inadvertently sign the malicious one, believing it to be the same request. This exploits the fact that many wallets present approval requests with minimal contextual details, making them difficult to distinguish.
APPROVAL FRONT-RUNNING
Frequently Asked Questions
Approval front-running is a critical security vulnerability in decentralized finance (DeFi) where attackers exploit the time delay between a user granting a token approval and the intended transaction. This glossary section answers the most common technical and security questions about this exploit.
Approval front-running, also known as an approval phishing attack, is a blockchain exploit where a malicious actor monitors the mempool for pending transactions where a user grants a smart contract unlimited or excessive token spending approval. The attacker then submits a transaction with a higher gas fee to race ahead of the user's legitimate transaction, using the granted approval to steal the user's tokens before the intended dApp can execute its function. This attack vector exploits the inherent latency and transparency of public blockchain networks.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall