Main Takeaways
While transaction approvals can simplify interactions in Web3, they may lead to phishing attacks and approval abuse if not managed carefully.
Scammers often exploit unlimited approvals and unverified contracts to drain funds, making it essential for users to limit approvals and revoke access when it becomes unnecessary.
Always use trusted platforms, stay up to date with the latest phishing schemes, and utilize tools like Binance Web3 Wallet's built-in safeguards to protect your assets.
In the Web3 world, smart contracts and decentralized applications (DApps) power most of today’s exciting innovations. But with great tech comes great responsibility. One crucial yet often overlooked feature of Web3 interactions is approval — the permission users grant to third parties to manage their funds. While this can streamline transactions, it also comes with risks if not handled carefully. In this guide, we'll break down the hidden dangers of approvals and show you steps to protect your assets in Web3.
Understanding Approvals
Granting approvals in the Web3 world is like issuing an all-access pass at an amusement park – once someone has it, they don’t need to stop and buy a ticket at every ride. When you approve a third party, whether it’s a smart contract or an externally owned account (EOA), you’re letting them move tokens from your wallet without needing to check with you every time. Once given, this permission stays active until you either spend the approved amount or manually revoke it.
Be it transferring, swapping, staking tokens, or listing NFTs for sale, these approvals save you constant confirmations, just like skipping the ticket booth at every ride with a park pass. Other than saving you time, approvals can also save gas fees by reducing the number of times you need to approve transactions.For example, a user can approve a specific amount of a token, like USDT, to a smart contract, allowing it to handle transactions on their behalf without needing repeated confirmations for each one.
A Typical Approval Flow
Below is a simplified breakdown of a typical approval flow.
Connection: The user connects their wallet to the DApp and initiates the desired interaction. This could involve actions like transferring, swapping, lending, staking, or listing NFTs.
Transaction Initiation: A transaction request appears, showing the details of the approval. These usually include:
The token used and the amount being approved.
The address receiving the approval (usually the DApp's contract address).
A description of the action being performed.
Transaction Confirmation: Once the user has confirmed the approval request, it is recorded on the blockchain. The DApp has permission to spend or transfer the specified amount of tokens on the user’s behalf.
Spending Funds: When the smart contract attempts to spend a token, the token contract checks if permission has been granted. If so, the transaction proceeds and the funds are spent.
The Risk: Approval Abuse
While approvals streamline DApp interactions, they also introduce security risks, particularly through phishing attacks. Malicious actors can exploit this mechanism by tricking users into approving transactions for smart contracts or externally owned accounts (EOAs) under their control, which could lead to the draining of the user's funds.
Please note that after such approvals are granted, most Web3 wallets will not require any further biometric or 2FA authentication for smart contracts or EOAs to initiate a transfer of your tokens.
There are two main methods for granting token permissions:
Approval Functions: These allow the wallet owner to approve a specific amount of tokens for use, which remains in effect until the set amount is reached.
For NFTs, the setApprovalForAll() function is commonly used, giving the platform the ability to transfer your NFT after a sale.
Most NFT marketplaces use unlimited approvals to simplify transactions, since limited approvals can only be granted to one address at a time.
Allowance Functions: These regulate the token allowance, giving approval for a smart contract to spend up to the specified amount.
What is Approval Phishing?
Approval phishing happens when scammers trick users into giving them permission to access and spend their crypto. In Web3, approvals are like giving someone a key to your wallet — letting them move tokens or NFTs on your behalf without asking you again. Scammers exploit this by creating fake DApps or websites that look legitimate, tricking users into approving contracts that give scammers control over their funds.
Typically, scammers use these two common methods to extract funds:
transferFrom() function: Transfers funds from your wallet to another account after approval is granted.
Multicall() function: Executes multiple transferFrom calls in a single transaction, moving funds to various scammer-controlled addresses.
If the approval isn’t revoked, it remains active indefinitely, allowing scammers to steal more funds long after your initial interaction with the malicious DApp. There have been cases where funds were stolen again weeks after the original theft because the approval was still active.
Let's break down how a typical approval phishing attack works.
1. The Setup: Attackers often create fake websites or applications that mimic legitimate platforms. These could be anything from mining, trading, staking services to NFT marketplaces and other blockchain-based applications.
2. The Bait: Victims are lured in through phishing emails, fake ads, or links in social media groups. Scammers create urgency, convincing users to act quickly to maximize profits.
3. The Hook: The fake platform requests the user to approve a transaction, granting permission for the scammer to spend tokens. If the approval amount is large or unlimited, the scammer can continue to withdraw funds until that value is reached or until the victim revokes permission.
4. The Sinker: Once approval is granted, the scammer executes functions like transferFrom() or Multicall(), transferring tokens to accounts they control.
Popular tactics include using fake airdrops, bogus mining or staking sites, fake trading platforms, and fraudulent NFT minting services to get victims to grant approvals. Caution paired with the habit of revoking unnecessary approvals can help protect you from such attacks.
Real-Life Examples
Granting Approval to a Scammer’s Wallet
The victim was tricked into joining a fake Binance WhatsApp group, where self-proclaimed investment advisors directed them to a phishing DApp disguised as a Web3 investment platform. After connecting their crypto wallet to the DApp, the user unknowingly gave the scammer permission to spend their funds by approving an unlimited amount of USDT.
Once approval was granted, the scammer used the transferFrom command to move all the funds from the victim’s wallet to their own.
Granting Approval to a Malicious Contract
In a case illustrating another common scenario, the victim was deceived by promises of hefty daily profits if they invest via the DApp that the scammers recommended. The user approved a fake contract, allowing it to access unlimited amounts of their slisBNB tokens.
The scammer then used the Multicall function, which allows to execute several transfers in one go, to move the victim's tokens to several different accounts under the scammer’s control.
Because the victim remained unaware of the breach, approval wasn’t revoked. The scammer returned 21 days later and used the same method to steal additional tokens from the victim’s wallet.
How Binance Web3 Wallet Keeps You Safe
Users exploring the world of decentralized applications with Binance Web3 Wallet enjoy additional security safeguards against common Web3 threats, including approval abuse.
When you're about to approve funds to unverified or potentially risky contracts, Binance Web3 Wallet will issue a warning, flagging the transaction as unsafe. This prompt gives you the chance to reconsider and avoid potential scams. It’s always important to double-check the details and perform your own research before proceeding with any approval.
Binance Web3 Wallet also gives you more control over your approvals, by allowing you to:
Review and revoke any approvals that you don’t recognize or no longer need.
Disconnect from any suspicious or unrecognized DApps.
Protecting Yourself From Phishing
To stay safe in the Web3 space and avoid phishing attacks, it's crucial to take some basic precautions:
Limit Approvals: Instead of giving unlimited permission for someone to spend your funds, set a limit on how much can be approved at a time. While it might cost a little extra in gas fees, it's far safer than potentially losing everything. And remember, never approve funds to personal wallet addresses (EOAs) unless you're absolutely sure you can trust the owner.
Stick to Trusted Platforms: If a platform seems suspicious or unfamiliar, it's best to avoid it. Always double-check the website URL to make sure you're interacting with a legitimate service.
Be Wary of Get-Rich-Quick Schemes: Offers that sound too good to be true usually are. Avoid unsolicited messages or websites that promise massive rewards or quick profits, especially if they require you to take urgent actions that involve your crypto wallet.
Use Secure Wallets: Opt for reputable wallets with built-in safety features such as Binance Web3 Wallet, which alerts you to risky tokens, sites, and transactions, including warnings about malicious contracts or incorrect addresses.
Stay Informed: Keep yourself updated on the latest scam tactics and security measures in the Web3 world. The more you know, the harder it is for scammers to catch you off guard.
Final Thoughts
Adopting the right habits and staying vigilant will make your Web3 journey safer and more rewarding. The proactive steps you take today, such as avoiding unlimited approvals and staying mindful of suspicious offers, can help prevent costly mistakes tomorrow. While Binance Web3 Wallet’s built-in safeguards provide valuable support, it’s ultimately your awareness that remains the first line of defense. So, stay smart, stay safe, and continue enjoying the benefits of the decentralized world safely.