Token empowerment: The biggest obstacle to user experience in the cryptocurrency industry

Token authorization: the biggest obstacle to user experience in the cryptocurrency industryNew

Abstract: If you are a deep user of DeFi, you must have been tortured by this cumbersome process countless times. Every time you use a new dApp, you need to authorize the dApp to spend your tokens.

If you are a deep user of DeFi, you must have been tortured by this cumbersome process countless times. Every time you use a new dApp, you need to authorize the dApp to spend your tokens.

Authorization interface on Metamask

To draw an analogy with the traditional financial industry, this process is a bit like applying for a direct debit, authorizing your electricity supplier to deduct your electricity bill from your bank account every month.

However, unlike the cryptocurrency industry, direct debits in the traditional financial industry are only available to a small number of trusted companies. These companies are less likely to deceive consumers, and even if they occasionally do, consumers can file a dispute and the bank will act as a mediator. The cryptocurrency industry does not have such tools. Some dApps are built by anonymous developers and have no dispute mechanism for deceived users. Once a payment is made on the blockchain, it cannot be reversed.

What is token delegation and how does it work?

Most tokens on the Ethereum blockchain, such as USDC and DAI, use the ERC20 standard. ERC20 tokens are actually smart contracts that contain different methods, such as transferFrom and burn . When users call these methods, the application will perform corresponding operations on the tokens.

One of these methods is approve . Any dApp you want to use will need access to your ERC20 tokens in order to operate on them. For example, if you want to deposit USDC in Aave, you first need to grant the Aave dApp's smart contract access to your USDC before you can deposit your USDC into Aave through a second transaction. You can see this authorization on your Ethereum wallet UI. While the amount of authorization available is theoretically flexible, most dApps will require unlimited authorization by default to simplify the user experience and minimize the number of transactions a user needs to make to use the app.

One security issue here is that most users think their authorization is for a certain transaction and is limited, but in most cases, users actually grant the dApp permanent access to a certain token they hold, and it is unlimited. Therefore, if the dApp has security issues or is malicious from the beginning, attackers can abuse this authorization to steal all authorized tokens held by the dApp user without the user's consent. This attack can be launched at any time in the future, even years after the user has used the dApp.

How to protect yourself? The good news is that you can protect yourself from these threats. In the next section, we’ll explore how to keep your tokens safe when you use a standard Ethereum wallet like Metamask, and introduce some wallets that can interact with dApps through customized methods.

How to manually revoke token authorization

If you want to revoke authorization manually, you need to use a tool like Token Allowance Checker. Such tools can connect to your wallet and scan the entire blockchain to find all dApp authorizations associated with your Ethereum address . You can then edit the authorization: set the authorization available amount to 0 to cancel the authorization, or set it to an amount that you are willing to accept. Authorization changes are implemented by interacting with each ERC20 token contract.

It is best to perform this process regularly and cancel the authorization of dApps that you no longer plan to use. Although this will cost you a little bit because each transaction needs to be settled on the chain, in the long run, your wallet will give you the rewards you deserve.

Tip: If you want to save on gas costs, you can download the Gas Station Network extension to track gas prices on your browser. You can wait until gas costs are lower before editing your authorized available amounts.

How the next generation of Ethereum wallets can protect user funds

Some smart contract wallets that have been launched also have protection functions. Smart contract wallets are very flexible and can provide users with customized smart contract interaction methods. Therefore, many smart contract wallets have implemented customized authorization methods to improve user experience and security.

Native integration: Argent as an example

For example, Argent is a mobile Ethereum wallet that has natively integrated some core DeFi applications into the app so that users can borrow, earn yield, and trade.

These wallets integrate these dApps at the smart contract level and ensure that when users interact with these dApps, these dApps can only be authorized for the actual requested amount. All of this happens automatically in the background, so Argent users don’t even know that the authorization transaction exists.

Argent x Wallet Connect

One downside of native integration is that it’s not scalable, like Argent does. It’s impossible for an application to natively integrate every DeFi protocol. For most users, the applications that Argent has currently integrated may be enough, but heavy DeFi users use a dozen different dApps every day and don’t want to be limited to a few dApps.

A standard called WalletConnect can solve this problem. WalletConnect allows users to connect their mobile wallets to web applications and securely sign transactions through their mobile wallets. Argent has customized WalletConnect integration, allowing users to easily set the amount of authorization available (say goodbye to unlimited authorization). In addition, if an Argent user changes his mind, he can cancel the authorization of a dApp application with one click in the Argent application. Since most dApps support WalletConnect, this feature allows Argent users to enjoy extremely high security while exploring the entire DeFi field.

Batch transactions and dApp keys: Authereum as an example

Another smart contract wallet that can handle authorization elegantly is Authereum. Authereum is web-based and supports most Ethereum dApp applications. In addition, Authereum uses traditional email and password login, so you can connect your wallet to the dApp in a few seconds, and the user experience is similar to traditional applications without sacrificing security.

When a user needs to interact with a dApp, Authereum generates a new temporary dApp key to sign transactions for that specific dApp. The dApp key can only perform limited functions, and Authereum performs some integrity checks. If the domain initiating the request is not the domain where the dApp key was created, Authereum can intercept the transaction or notify the user. Finally, these dApp keys can be deleted from the Authereum wallet at any time.

There are many other advantages to bundling multiple transactions into one transaction. One advantage is efficiency - batching transactions can save costs and time. Each normal transfer transaction on Ethereum consumes 21,000 gas. If a user packages 10 transactions at a time, a total of 189,000 gas can be saved. In addition, users can try to save time by sending consecutive transactions.

The only problem with batching transactions is that the dApp needs to add some customized logic and UI flow to properly process the transactions. So far, only a few dApps such as 1inch and Erasure support this trading mode, but we expect more dApps to support this trading mode in the future.

in conclusion

Token authorization is a big security risk. If we want to improve the user experience and security of cryptocurrency applications, we obviously need to improve token authorization. Wallets such as Authereum and Argent can make dApp interactions more secure in innovative ways. Unfortunately, in many cases, this type of transaction model requires additional work from dApp developers, so users will need to be patient for a while.

Standard Ethereum wallets that cannot adopt the above solutions should at least allow users to view and edit their dApp token authorization availability. Tools such as the Token Authorization Checker are convenient, but not every user is aware of them.