Essential skills for DeFi: How to protect your Ethereum wallet

Preface: Regarding Ethereum wallets and DeFi applications, a common security risk in the industry is "token authorization", and in most cases, these applications will require you to give "unlimited authorization" by default. While this brings convenience to users, it also poses a great security risk, because if there is a problem with the contract, then even if you have not deposited funds into the contract, the attacker can steal the funds in your wallet.

So how can you protect yourself as much as possible while experiencing a variety of new DeFi applications? This article will tell you a way to cancel token authorization.

Objective: Learn how to revoke Ethereum wallet authorization

Skill Complexity: Simple

Time: 5 minutes

ROI: Priceless (can protect your tokens)

You may have participated in dozens of DeFi applications and unknowingly granted them unlimited access to your Ethereum wallet funds.

Guess what? Unless you turn off those permissions, these apps have the ability to do this!

What if one of the contracts is exploited? Or the DeFi app turns out to be a scam? That means game over and you lose your funds.

But with a few tips, you can protect yourself.

For example, use a new address, and frequently check contract authorizations and remove application contract authorizations that you no longer use or do not trust.

Good dental hygiene can prevent tooth decay, and good dental hygiene can help you protect your property.

UniCats stealing user funds

Last month, a liquidity mining project called UniCats was launched. This so-called DeFi project eventually turned out to be a fraudulent project whose deployers used the "unlimited token authorization" permission to steal users' funds.

As traders deposited funds into the project in pursuit of new profit opportunities, UniCat developers gained more and more token authorization rights until they chose to close the net and start stealing users’ token funds.

As researcher Alex Manuskin showed in an insightful tweet last month, one UniCat user lost $140,000 worth of Uniswap tokens by authorizing the UniCats contract.

This is a scary incident, but it serves to highlight why you, as an Ethereum user, should take smart contract permissions seriously.

So let’s learn how to manage your wallet permissions.

How to revoke Ethereum wallet authorization

Fortunately, the Ethereum community has some very respectable open source contributors who regularly release some amazing tools, including James Sangalli of AlphaWallet, who released an open source ETH Allowance tool earlier this year.

We can use this solution to easily revoke token authorization, the process is as follows:

1. Use Etherscan to find the contract you want to cancel.

Suppose you have recently interacted with a malicious or low-quality project like UniCat, and now you want to revoke authorization, you need to determine the contract address of the project and copy it. Using Etherscan's "clipboard" button, this task is easy.

2. Visit the ETH Allowance website and you will see the page shown below.

3. Connect your Ethereum wallet (usually, we use the popular MetaMask browser wallet). Once you do this, a list of approved smart contracts will pop up, as shown below:

4. Use the "Find" function in your browser to paste and search for the contract address you want to remove. For simplicity, I will simply remove the first address described above, which is associated with OmiseGo's OMG token. When I click "Revoke", the system prompts me to send a revocation transaction, as shown below:

5. Confirm the transaction. Once the transaction is confirmed, your wallet can avoid the risk of this contract address.

Summarize

Not every token smart contract authorization has vulnerabilities. There are many dapps that have passed the market test at this point (such as Uniswap), and authorizing these applications will help us make full use of them.

But in the decentralized ecosystem we live in, we cannot give this trust to projects that have not been proven or properly audited. That’s why we have to take matters into our own hands, regularly managing our smart contract permissions and removing permissions for tokens we no longer use or trust.