Author

Topic: Be careful with "approve" button when dealing with DeFi (Read 192 times)

member
Activity: 210
Merit: 10
Sovryn - Brings DeFi to Bitcoin
I do not think that we can blame much to the investor or the liquidity provider in this scenario because he was sure of the safety because he was doing everything in a decentralized manner via smart contracts but we all know we have greed and scammy people everywhere so this scam happened but the guy must be feeling comfortable while depositing due to the defi claim. I hope the scammers will be caught and the depositor will get his money back.
member
Activity: 854
Merit: 10
Thanks for sharing this, alot of trader are not aware of this, with this well explained information, am sure alot of traders will learn more about Dex exchange and be careful each time they are using the exchange.
hero member
Activity: 2128
Merit: 530
PredX - AI-Powered Prediction Market
I saw the article also and read a tweet storm about this, with all these new smart contracts being deployed one need to be very careful. I won't touch any new platform useless it has been in operation for few months, buy now people would have tried and tested it for production. I believe this incidence won't be the last and people need to watch out
legendary
Activity: 2996
Merit: 1132
Leading Crypto Sports Betting & Casino Platform
I didn't know that you could limit the access, this could be amazing for a lot of people because they are basically giving full access to that coin forever and that is something quite risky. I understand that some people are not involved for trading, they are involved for a trade and when they do their job and get it done they just cancel everything because they got all they wanted and no longer need it.

With this new permission thingy they could simply just allow them as much as they want and edit it the way it would be limiting swap to not go all in. I still trust a lot of them and I doubt they would do it considering how much money they are making, all those swaps would be very careful about it, but I do not trust outside attacks that might try to steal that permission.
legendary
Activity: 2590
Merit: 1236
This is a piece of helpful information.  Not many Metamask users know about this limitation thing.  Not knowing this information may lead to huge losses due to the possible smart contract abuse.  I seldom use metamask but only access an address that I need to move all the funds and never use it again so I am not quite concern about those possible abuse but this info just gave me an important information on how to secure the address funds while using metamask.

The biggest problem is for liquidity providers because they have to use MetaMask to provide liquidity for the pools. And they often hold a lot of money to get more trading fees. I suggest that they use limit function to limit smart contract access to their funds.
legendary
Activity: 2954
Merit: 1153
This is a piece of helpful information.  Not many Metamask users know about this limitation thing.  Not knowing this information may lead to huge losses due to the possible smart contract abuse.  I seldom use metamask but only access an address that I need to move all the funds and never use it again so I am not quite concern about those possible abuse but this info just gave me an important information on how to secure the address funds while using metamask.
full member
Activity: 1829
Merit: 134
Moderator
Whoa dude, that was huge amount. Well, DeFi it's already exist for a while but hyped recently so there will be still something like this and this was dangerous for non-dev or new people like me. I mean basically it's really hard when checking/reading the contract on Github or etherscan, Well let's be more careful and do some research before doing anything especially on the crypto.
legendary
Activity: 2590
Merit: 1236
But yesterday I stumbled upon this article where a guy lost $140.000 worth of UNI because he granted a smart contract unlimited access to his UNI tokens. He provided liquidity on the UniCats yield farming platform. After a while user withdrew his UNI, but UniCats smart contract contained a backdoor which enable it's admin to access UNI even though it was in a user wallet.

Platforms like the UniCats shouldn't be allowed on the main public ecosystem until they are proven to be secured/safe... and users should be clearly warned about such platforms if they have not been thoroughly tested so people don't put too much funds in them.
I think there should be mechanisms developed to thoroughly audit/review smart contracts decentrally. Once they pass the review they are automatically allowed on the main public space for serious business.

I agree. But people use smart contracts that are not audited. If users wouldn't use those smart contract, that would force admins to have their smart contract audited. The beauty (and danger) od crypto that everyone is free to publish smart contract as they like. It's up to the users to choose not to use unaudited smart contracts.
Ucy
sr. member
Activity: 2674
Merit: 403
Compare rates on different exchanges & swap.
But yesterday I stumbled upon this article where a guy lost $140.000 worth of UNI because he granted a smart contract unlimited access to his UNI tokens. He provided liquidity on the UniCats yield farming platform. After a while user withdrew his UNI, but UniCats smart contract contained a backdoor which enable it's admin to access UNI even though it was in a user wallet.

Platforms like the UniCats shouldn't be allowed on the main public ecosystem until they are proven to be secured/safe... and users should be clearly warned about such platforms if they have not been thoroughly tested so people don't put too much funds in them.
I think there should be mechanisms developed to thoroughly audit/review smart contracts decentrally. Once they pass the review they are automatically allowed on the main public space for serious business.
sr. member
Activity: 1050
Merit: 250
Revolutionizing Reward Points
that's a very good information you have put together. Is there any way you can provide this feedback to metamask so they can make necessary changes? I don't think anyone who is new with metamask would know this information first hand and its metamask responsibility to aware new users.

I'm sure that MetaMask owners are aware of this. However, I think that they should change how approve works on MetaMask. Maybe that user needs to decide if they want to approve unlimited or limited access instead of just allowing unlimited access by default.

you write a very useful informations buddy, and people should know what is the meaning from the "Approve" button before they push it
because unlimited acces to our assets is weird
sr. member
Activity: 2520
Merit: 280
Hire Bitcointalk Camp. Manager @ r7promotions.com
If someone is not sure about what hey are doing then they should really stop doing it, better get clear knowledge before trying ti again is better in my opinion.Giving unlimited access is actually a stupid thing a crypto use can do. Lips sealed

I agree. I wrote this post because I'm sure that little people know what they are doing when they click the Approve button. I'm not saying that people should not use Uniswap and other DEXes but they should really be careful.
That is one of the disadvantage of decentralized platforms as well because we are on our own, simple mistake even result into huge loss so user experience is not going to be same as trading on a CEX but its highly secured when we do everything right.
legendary
Activity: 3416
Merit: 1225
This is very important some of us do not know how a contract can trigger activation on something within our wallet and we are not aware how did it happen, and it's to late because we do not know they have this kind of feature, contract works on
Quote
if this then that
action and contract works on trust, they did not bother to know the action this smart contract will trigger.

So before doing an action be sure to know what the contract is going to do, it's good that OP created this topic it's timely now people should do a lot of research..
 
legendary
Activity: 2604
Merit: 1504
Thank you for bringing up this topic on metamask because only since the beginning of the hype around DeFi projects, the number of metamask users has grown significantly and now amounts to more than 1 million active users per month, metamask states in its Twitter https://twitter.com/metamask_io/status/1313228298642575360 . And I think it will continue to grow because in 2020 alone, more than 75 centralized exchanges have already closed. After metamaks announces its DeFi aggregator we hope that such incidents will be avoided in the future.
legendary
Activity: 2590
Merit: 1236
that's a very good information you have put together. Is there any way you can provide this feedback to metamask so they can make necessary changes? I don't think anyone who is new with metamask would know this information first hand and its metamask responsibility to aware new users.

I'm sure that MetaMask owners are aware of this. However, I think that they should change how approve works on MetaMask. Maybe that user needs to decide if they want to approve unlimited or limited access instead of just allowing unlimited access by default.
hero member
Activity: 1540
Merit: 500
that's a very good information you have put together. Is there any way you can provide this feedback to metamask so they can make necessary changes? I don't think anyone who is new with metamask would know this information first hand and its metamask responsibility to aware new users.
legendary
Activity: 2590
Merit: 1236
If someone is not sure about what hey are doing then they should really stop doing it, better get clear knowledge before trying ti again is better in my opinion.Giving unlimited access is actually a stupid thing a crypto use can do. Lips sealed

I agree. I wrote this post because I'm sure that little people know what they are doing when they click the Approve button. I'm not saying that people should not use Uniswap and other DEXes but they should really be careful.
sr. member
Activity: 2520
Merit: 280
Hire Bitcointalk Camp. Manager @ r7promotions.com
If someone is not sure about what hey are doing then they should really stop doing it, better get clear knowledge before trying ti again is better in my opinion.Giving unlimited access is actually a stupid thing a crypto use can do. Lips sealed
legendary
Activity: 2590
Merit: 1236
As many of you know, to swap tokens on Uniswap or any other DEX you have to first click the Approve button on MetaMask (this has to be done when adding liquidity too). May of you know about this, but I bet very few people know what approve function actually do. By doing approve you are giving permission to a smart contract to manage your crypto asset (you have to approve each token individually). This means that a smart contract can transfer your tokens without you even knowing it.
Most of you will say "OK, but I can't trade on Uniswap if I don't do approve first". That's true, but did you know that you can limit the amount of tokens a smart contract can access? For example, if you wanna swap 200 LINK for ETH, you have to approve smart contract to access your LINK tokens. By default MetaMask grants unlimited amount of LINK when a user is doing approve. But before you confirm that transaction you can click "Edit Permission" and choose "Custom Spend Limit" instead of default selection "Unlimited". That way you are granting a smart contract access only to a portion of your LINK holding instead of unlimited access.

I knew what I was doing when I click Approve button, but I thought that I have no choice if I wanna use Uniswap. But yesterday I stumbled upon this article where a guy lost $140.000 worth of UNI because he granted a smart contract unlimited access to his UNI tokens. He provided liquidity on the UniCats yield farming platform. After a while user withdrew his UNI, but UniCats smart contract contained a backdoor which enable it's admin to access UNI even though it was in a user wallet.
Jump to: