DeFi Token Approvals: How Unrevoked Permissions Drain Wallets

DeFi token approvals are on-chain permissions you grant to smart contracts when you use a decentralized application. Unlike a password you can reset or an account you can close, each approval is written permanently to the blockchain. The approval you signed to use a yield farm in 2022 or an NFT marketplace in 2021 is still active today unless you have explicitly revoked it.

What a Token Approval Actually Grants

When you connect a wallet to a DEX, a lending platform, or an NFT marketplace, the app asks you to sign an approval before it can move tokens on your behalf. That approval specifies a contract address and an amount. For ERC-20 tokens, it permits the contract to transfer up to a set amount from your wallet. For NFTs (ERC-721 and ERC-1155), it typically grants permission to transfer any item in a collection. Most apps default ERC-20 allowances to unlimited, and most users accept without adjusting.

That record lives on-chain indefinitely. It does not expire when you stop using the app, switch wallets, or move to a different chain. A permission granted to a protocol in 2021 is still valid in 2026 unless you have revoked it. Because each chain keeps its own approval state, a user active on Ethereum, Arbitrum, BNB Chain, and Polygon accumulates separate records on each network. A user who has interacted with ten DeFi apps across three chains over the past year may hold fifty or more active approvals, many covering unlimited amounts. Chainalysis documented roughly 158,000 personal wallet compromises in 2025 (Chainalysis, 2026), reflecting the ongoing scale of wallet-level attacks.

How Attackers Use Dormant Approvals

A legitimate approval becomes a direct exposure if the approved contract is later compromised. In January 2026, attackers found a flaw in SwapNet, a DEX aggregator used via the Matcha Meta interface, that allowed them to call arbitrary functions on the contract. Because users had previously granted SwapNet unlimited transfer rights over their tokens, the attacker withdrew approximately $13.4 million from wallets directly, without any new action required from victims (PeckShield, 2026). The approvals signed during normal trading months earlier were sufficient.

A second class of attack is approval phishing, which differs from standard phishing in one key aspect: no seed phrase or password is required. A fake DeFi site or a compromised DNS record leads you to sign a permission for a malicious contract, and the attacker can drain your wallet at any later point. The CoW Swap DNS attack in April 2026 redirected normal traffic to a counterfeit interface using this method. Approval-based attacks accounted for over $200 million in losses across 2024 and 2025 combined (Revoke.cash Exploits Database, 2026).

What to Check in Your Own Setup

The starting point is an inventory of what permissions your wallet holds. Revoke.cash covers over 100 networks and shows every active approval alongside the approved amount, the contract address, and when it was granted. Etherscan has a Token Approval Checker for Ethereum; equivalent tools exist on BNB Chain, Polygon, Arbitrum, and Optimism through their block explorers. Focus on unlimited allowances and on contracts you no longer use. Each revocation is an on-chain transaction that costs a small gas fee.

For future interactions, set approvals to the exact amount required rather than accepting the unlimited default. Many DeFi interfaces now offer this option before you confirm.

Asset Alert's scoring engine treats open DeFi approvals as a factor in your overall setup health. More than 15 open approvals registers as a high-severity finding, and 5 to 15 registers as medium. You can see how your approval count scores alongside concentration risk and other gaps by mapping your setup in the app.