Author

Topic: Beware of unlimited withdraw approvals when using erc20 tokens ! (Read 222 times)

legendary
Activity: 2450
Merit: 1448
A relatively important fact occurred a few hours ago and is related to what I indicated in op.  Roll Eyes

If you have interacted with 'Furucombo', it is advisable to revoke the token spending permissions.

Indeed a malicious actor has managed to cheat the protocol and has already started to siphon some wallets.

https://twitter.com/furucombo/status/1365743632460910593

https://twitter.com/TheBlock__/status/1365749889955737611
legendary
Activity: 2450
Merit: 1448
Yesterday, as i was reading THIS thread , i allowed myself to bring some infos. This informations deserve, I think, to be more visible and that's why I created this topic.  Wink

What is the problem ?


There may be none... but if it occurs, the damage could be ... catastrophic  Shocked

The fact is that very often when authorizing the spending of a token on uniswap or one of its competitors, the setting is set by default on the maximum value. This means that if a malicious actor gets their hands on the smart contract to which you have given authorizations, then all of your tokens (of a certain type) can be removed from your wallet.

I'll let you browse the following article to finish convincing yourself:

https://cryptotesters.com/blog/token-allowances



There are a few ways to prevent unlimited and unwanted withdrawals : for example, when using metamask (on uniswap & others), first precaution you can take is to only allow a specific number of erc20 tokens you agree to sell and not to leave the setting to max by default. (Note that 1inch already offers this setting).





In addition, I would like to draw your attention to the fact that there are at least two possibilities to edit the given permissions:



1 - Token checker allowance:


https://tac.dappstar.io/

It seems that another project (MathWallet) took the idea of ​​'Token checker allowance' and adapted it for Bsc (Binance chain). I specify that I have not tested this one.

https://twitter.com/MathWallet/status/1310877806264422401





2 - https://approved.zone/

Works on the same principle as tca. (Except we can only erase autorisation, and not set a new value)

According to the following tweet, this project would come from the '1 Inch exchange' team.

https://twitter.com/1inchExchange/status/1273508633570140162



I am sharing a few ideas here, however do your own research Smiley

Jump to: