Approval Drain

The attack exploits the ERC-20 approve() and transferFrom() functions. When a user interacts with a DApp, they often sign a transaction granting it an allowance (spending limit) for a specific token. A malicious contract can later call transferFrom() to move tokens up to that approved amount, even if the user is no longer actively using the DApp.

• Key Functions: approve(spender, amount), transferFrom(from, to, amount).
• Persistent Permission: The allowance remains valid until explicitly revoked or exhausted.

The risk severity is defined by the allowance amount granted.

• Infinite Approval: Granting type(uint256).max (essentially unlimited) is common for UX convenience but poses maximum risk. A single compromised protocol can drain the entire token balance.
• Limited Approval: Setting a specific, needed amount caps potential loss but requires frequent re-approvals.
• Best Practice: Use permit signatures (EIP-2612) for single-use allowances or regularly revoke unused approvals.

Attackers use social engineering to trick users into granting approvals.

• Malicious Airdrops: Fake tokens sent to wallets; interacting with them triggers an approval to a malicious contract.
• Spoofed DApp Frontends: Phishing sites mimicking legitimate protocols (Uniswap, Compound) to capture approvals.
• Rug Pulls: Initially legitimate projects that later turn malicious, using their existing approvals.
• Malicious NFTs: NFTs with hidden onERC721Received functions that trigger unwanted approvals.

Inferno Drainer was a widespread phishing-as-a-service kit responsible for over $80 million in stolen crypto in 2023. It automated the creation of fake websites that tricked users into signing transactions granting excessive token approvals. The kit included:

• Pre-built templates for popular protocols.
• Automated fund forwarding to the attacker.
• A dashboard for affiliates to track stolen funds. This case highlights the industrial scale of approval drain attacks.

Developers can architect safer systems to protect users.

• Implement EIP-2612 (Permit): Allows off-chain approval signatures for single transactions, eliminating persistent allowances.
• Use EIP-3009 (Transfer With Authorization): Similar to permit but more flexible for relayed transactions.
• Clear UX Warnings: Prominently display the requested allowance amount and contract details.
• Default to Limited Approvals: Design DApps to request only the necessary amount for the immediate action.

A classic case where a user granted an unlimited spending allowance for USDC to a malicious contract.

• Attack Vector: After the approval was signed, the attacker's contract could call transferFrom at any time to drain the full USDC balance.
• Key Lesson: This highlights the critical risk of signing approvals for infinite amounts (type(uint256).max). Best practice is to approve only the exact amount needed for a specific transaction.

This case exploits the EIP-2612 permit function, which allows setting approvals via a signature, not a transaction.

• How it Works: A phishing site tricks a user into signing a permit message, which grants approval directly. The user never sees a transaction pop-up, making the attack more stealthy.
• Impact: The attacker gains immediate spending rights without the user sending an on-chain approve transaction, bypassing a common wallet warning.

A sophisticated attack that combined a fake token airdrop with a spoofed security tool.

• Double-Deception: Users were first tricked into claiming a malicious token, which required a harmful approval. Then, to "secure" their wallet, they were directed to a fake version of Revoke.cash.
• Result: The fake site prompted users to sign a transaction that actually increased the attacker's allowances, exacerbating the drain instead of stopping it.

An attack leveraging a single signature to gain approval for multiple tokens simultaneously.

• Mechanism: A malicious contract uses a function like multicall or a custom function that bundles permit or approve calls for several tokens the victim holds.
• Efficiency for Attackers: This method maximizes the loot from a single victim interaction, draining USDC, DAI, and other ERC-20s in one go after the initial signature.

This card outlines the defensive tools and practices that have emerged in response to approval drains.

• Approval Revocation Tools: Services like Revoke.cash and Etherscan's Token Approval Checker allow users to review and revoke active allowances.
• Wallet Guardrails: Modern wallets (e.g., Rabby, MetaMask) now feature approval simulation and warnings for high-risk or infinite approvals.
• Best Practice: The industry standard is shifting towards allowance-based approvals and deadline-limited permits to minimize exposure.

A token allowance is the core mechanism exploited in approval drain attacks. It is a smart contract permission that authorizes a specific dApp or contract to spend a limited amount of a user's tokens on their behalf. This is essential for DeFi interactions but creates a persistent security risk if not managed.

• Standardized via ERC-20: The approve() and increaseAllowance() functions set these limits.
• Infinite Approvals: Setting an allowance to the maximum uint256 value (2^256 - 1) grants unlimited spending power, which is a primary target for drainers.

A wallet drainer is a malicious smart contract or script designed to illicitly transfer assets from a victim's wallet. It is the execution tool in an approval drain attack.

• Operation: Once a user signs a malicious transaction granting approval, the drainer contract calls the transferFrom() function to move the approved tokens.
• Sophistication: Modern drainers often use social engineering (fake websites, phishing links) and signature farming to trick users into signing the approval.

Revoking approvals is the security practice of setting a token allowance back to zero, removing a smart contract's permission to spend your tokens. This is the primary defense against dormant approval drain risks.

• Process: Done by calling the approve(spender, 0) function for the specific contract address.
• Tools: Users can manage approvals via blockchain explorers (Etherscan), wallet interfaces, or dedicated security dashboards to review and revoke permissions.

Signature farming is a social engineering technique used to obtain the signed approval transaction from a user. Attackers disguise malicious signature requests as legitimate actions.

• Common Vectors: Fake mint sites, fraudulent airdrop claims, or impersonated protocol interfaces.
• User Deception: The transaction pop-up in the wallet may obfuscate the true approve() call, showing misleading information to bypass user scrutiny.

Permit2 is a smart contract standard that introduces a safer, gas-efficient alternative to traditional ERC-20 approvals. It uses off-chain EIP-712 signatures to grant token permissions, which can reduce approval drain risks.

• Key Difference: Permits are single-use, signed messages rather than persistent on-chain allowances, limiting exposure.
• Adoption: Increasingly used by major DEXs and wallets to improve security and user experience by batching permissions.

A rug pull is a broader category of DeFi scam that can involve approval drains. While a rug pull typically refers to developers abandoning a project and draining liquidity, malicious actors may also implement hidden approval functions in their token or farm contracts.

• Connection: A project's token contract itself might contain a function that uses pre-approved allowances to steal funds from holders.
• Distinction: Not all approval drains are rug pulls, and not all rug pulls use approval drains, but the techniques can overlap.

A token approval is a permission granted by a user's wallet to a smart contract, allowing it to spend a specific amount of tokens on the user's behalf. This is a core DeFi mechanism for interactions like swapping on a DEX or providing liquidity. The risk arises when users grant unlimited approvals or fail to revoke permissions to malicious or deprecated contracts.

Approval drain attacks exploit these permissions through several methods:

• Malicious DApps: Fake or compromised websites trick users into signing approvals for malicious contracts.
• Signature Phishing: Users are tricked into signing a malicious permit or approve transaction disguised as something else.
• Contract Compromise: A previously legitimate, approved contract is hacked, turning its permissions into a vulnerability.

Users and developers can mitigate approval drain risks:

• Use Limited Approvals: Always approve only the exact amount needed for a transaction, never an unlimited amount.
• Regularly Review & Revoke: Use approval management tools to audit and revoke unused permissions.
• Verify Contracts: Interact only with verified, audited contracts from reputable sources.
• Wallet Features: Use wallets that offer simulation or explicit warnings for approval transactions.

EIP-2612 (permit) is a gasless approval standard that allows users to approve token transfers using a signature (off-chain) instead of an on-chain transaction. While convenient, it introduces a new attack surface for signature phishing. Users must be extremely cautious about signing permit messages, as they can be as dangerous as a standard approval transaction.

For developers, preventing approval-related exploits is critical:

• Smart Contract Audits: Ensure contracts properly handle approval logic and resist reentrancy.
• Event Monitoring: Monitor for unusual patterns of Approval or ApprovalForAll events from user wallets.
• Real-time Alerts: Services like Chainscore and Forta Network can detect and alert on suspicious approval patterns linked to known malicious addresses.