Participating in the decentralized finance space often necessitates the need to grant projects certain permissions to spend tokens from one’s own wallet.
These permissions — called ERC-20 allowances — help to simplify the smart contract interaction processes that allow users to send funds to a contract while simultaneously calling a state change function.
However, malicious actors can utilize this allowance to drain funds from an unsuspecting trader. To understand this risk vector, it is perhaps important to explain how ERC-20 allowance permission works.
Upon first interacting with a new DeFi project, traders need to allow the decentralized application the access to spend funds — usually Ether (ETH) or a stablecoin like Tether (USDT) — from their wallets.
This allowance is often unlimited to eliminate the need for future approval steps by the trader when executing subsequent transactions. Under normal operating conditions, the DeFi project will only spend the specified amount set by the trader.
However, abnormal operating conditions can emerge as has been seen on numerous occasions in the DeFi space. Smart contract bugs like the kind suffered by Bancor back in June 2020 can expose this vulnerability and drain funds from user wallets.
During the 2020 DeFi mania, rogue actors also exploited this vulnerability to steal funds from unsuspecting traders. One such example was the UniCats where the project developers themselves stole Uniswap (UNI) tokens from their users.
One useful practice traders can adopt is to review their existing allowances on their wallets. Platforms like revoke.cash and approved.zone can be used to identify ERC allowances associated with an address as well as options to revoke or lower such allowances.
Another method that can be used is during the initial first interaction stage where instead of unlimited, traders can select custom spend limits on their MetaMask wallets when approving spend limits for new tokens.
With ERC-20 the de facto standard for the DeFi space, users will still have to contend with the unlimited allowance risk. However, traders can adopt these useful practices to minimize the dangers associated with this potential vulnerability.