Back in Lesson 12 you met approvals — the permission that lets a contract move one of your tokens. Here we treat them as what they really are: a standing security exposure you should manage actively.
The risk in one sentence
Every unlimited approval you've ever granted is a door left open: if that contract is malicious, buggy, or later exploited, it can move that token out of your wallet — even months after you forgot about it.
Unlimited vs. limited, revisited
- Unlimited approvals are convenient and common on trusted DEXes, but they leave the full balance of that token reachable indefinitely.
- Limited approvals cap the exposure to a set amount, at the cost of re-approving for larger trades.
A reasonable policy: unlimited only for a handful of blue-chip, audited protocols you use constantly; limited (or revoke-after) for everything new or experimental.
How to review and revoke
- Open a reputable approvals dashboard — your wallet's permissions page, a block explorer's token-approval tool, or a trusted service like Revoke.cash.
- Connect and review what each contract can spend. Old, unfamiliar or unlimited approvals are your targets.
- Revoke the ones you no longer need. Revoking sets the allowance back to zero — it's a small transaction, so it costs a little gas.
Make it a habit
Review approvals periodically, and especially after using a new or unaudited site. Think of it like closing browser tabs you no longer need — except these tabs can spend your money. Good approval hygiene is one of the highest-leverage security habits in DeFi, and it directly defends against the drainer scams in the next module.
- Never revoking, so years of unlimited approvals to dead or risky contracts pile up.
- Approving unlimited on a brand-new site just to save a few cents of gas.
- Assuming revoking is automatic — it's a deliberate transaction you must make.