Leilani Ledingham

Covalent Solves for Approvals Risk, Protecting User Funds


  • Covalent has released a new approvals endpoint that shows you all the approvals across all token contracts categorized by spenders for a wallet’s assets.

  • This new endpoint shows you the value of assets at risk for a wallet. Basically, if the spender were to be hacked, the value at risk is how much they could stand to lose.

  • Get approvals is currently available on Ethereum, BNB Smart Chain and Polygon and will be added to all remaining supported networks in a few weeks.

Background: What are Approvals?

In the context of Web3, approvals are an essential part of the ERC20 token standard, which is the most common standard for creating and managing tokens on Ethereum and other EVM-based blockchains. Approvals are a mechanism that allows a token holder to grant permission to another account or smart contract to spend a certain amount of tokens on their behalf. So when do you use approvals? Here are some examples:

  1. Decentralized Exchanges (DEXs): When trading tokens on a DEX like Uniswap or SushiSwap, users must approve the smart contract to access and swap their tokens. This is done to ensure that the DEX contract can execute the trade on the user's behalf without having direct access to the user's wallet.

  2. Staking and Yield Farming: In DeFi applications that offer staking or yield farming opportunities, users need to approve the staking or farming contract to access their tokens. This enables the contract to lock up the user's tokens and distribute rewards accordingly.

  3. Decentralized Autonomous Organizations (DAOs): In DAOs, users often need to approve a DAO's smart contract to access their tokens for voting on proposals or participating in governance decisions. This allows the DAO to manage token-based voting systems securely and transparently.

Image source: Metamask

While approvals are a critical component in many decentralized applications, they can also pose certain risks for users, especially when they grant unlimited access to their tokens.

Approvals: A Liability for User Funds

Granting approvals, especially unlimited ones, can cause users to lose control over the management of their tokens. This is a vulnerability that hackers have come to exploit. Here are a few reasons why users should be concerned about their approvals:

  1. Smart contract vulnerabilities: If a smart contract that has been approved to spend a user's tokens contains a vulnerability, an attacker could exploit it to drain the user's funds.

    1. Proxy contracts and future vulnerabilities: Many modern smart contracts utilize proxies, which enable developers to upgrade or modify contract logic without changing the original contract's address. When users approve a token allowance on a proxy contract, they may inadvertently become susceptible to risks if the underlying contract logic is updated with flawed or malicious code.

  2. Rogue spenders: Approving an untrusted address or a malicious contract can result in unauthorized token transfers or misuse of funds.

Some might think that using a hardware wallet like a Ledger protects them from vulnerabilities, but they do not inherently protect users from approval-related hacks. Hardware wallets’ security features do not extend to the smart contracts or token approvals themselves. When a user grants approval using their hardware wallet, they are still trusting the smart contract to act on their behalf.

Additionally, while approval-related hacks typically exploit the approval mechanism of ERC-20 tokens, they also affect other token standards like NFTs, which also require approvals to interact with various smart contracts. A well-known example is the NFT marketplace, where users approve NFT transfers to facilitate trades or auctions. If a marketplace's smart contract or an NFT-specific contract is exploited, attackers can potentially transfer or steal approved NFTs

Here are some real-world examples of hacks and lost funds from approvals that have had disastrous consequences :

  • SushiSwap hack: Recently, in April 2023, SushiSwap was exploited for $3.3 million. The security breach was due to an issue with SushiSwap’s approval contract (RouterProcessor2) which was responsible for handling trade routing on the platform. Approximately 1,800 ETH tokens, equivalent to around $3.3 million, were drained from a single user. SushiSwap’s team immediately urged users to revoke their approvals as soon as possible.

Image Source: PeckShield Tweet

  • Bancor hack: In July 2018, the Bancor decentralized exchange was hacked, and the attackers stole approximately $23.5 million worth of tokens. The hack was possible because the attackers gained access to a wallet with approved tokens and used it to perform unauthorized trades.

How Covalent is Solving for Approvals Risk

To help protect users and prevent loss of funds, Covalent has built an approvals endpoint that provides users and developers with crucial information on token allowances and potential risks. The API response includes all token approvals across various contracts and spenders for a specific wallet's assets, as well as a value-at-risk analysis, which estimates the potential loss a user could incur if a spender is hacked or compromised.

Additionally, Covalent has included risk factor assessment. Approvals are categorized by risk factors with three different flags based on the spender's status and the value at risk: "low risk," "consider revoking," and “high risk, revoke now.” Information on how these risk factors are calculated can be found on our API reference or approvals guide. This feature helps users quickly identify potentially risky approvals and take appropriate action.

Here is a snippet of the API response:

"block_height": 10975120,
"tx_offset": 166,
"log_offset": 267,
"block_signed_at": "2020-10-02T06:51:00Z", 
"tx_hash": "0x2f63cc4971d6371b5360c2a1c16e9f805e8dfea1dfcb578fda37446e39d026b9",
"spender_address": "0x7a250d5630b4cf539739df2c5dacb4c659f2488d",
"spender_address_label": "Uniswap V2: Router 2",
"allowance": "UNLIMITED",
"allowance_quote": null,
"value_at_risk": "776680261",
"value_at_risk_quote": 779.010301783,
"risk_factor": "CONSIDER REVOKING"

For developers, integrating Covalent's new approvals endpoint into their wallet applications can significantly enhance security and provide users with greater control over their assets. Here is a guide on how to implement this endpoint, including a code snippet for how to revoke certain approvals.

This marks a significant step forward in providing users with unparalleled transparency and control over their digital assets. We want to empower users to make informed decisions, creating a more secure and confident Web3 experience.

Ganesh Swami, CEO & Co-Founder of Covalent

Tips for Minimizing Potential Losses

By granting approvals only for the required amount, users can minimize their potential losses in case of a security breach. Here are some things you can do to mitigate your risk and protect your assets from potential threats:

  • Only approve trusted smart contracts and addresses.

  • Set specific allowances instead of granting unlimited access.

  • Regularly review and revoke unnecessary approvals.

Here is some additional information on how to revoke approvals.

What’s Next?

The new approvals endpoint is available on Ethereum, BNB Smart Chain and Polygon to begin with, and Covalent will follow up with additional support on the rest of its supported networks in the coming weeks. The Covalent team is hard at work building new products, stay tuned for more exciting updates this quarter. If you haven’t signed up for an API key yet, click here to get one!

About Covalent:

Covalent provides the industry-leading Unified API bringing visibility to billions of Web3 data points. Developers and analysts use Covalent to build exciting multi-chain applications like crypto wallets, NFT galleries, and investor dashboard tools utilizing data from 232+ blockchains. Covalent is trusted by a community of 40,000+ developers and powers data for 5,000+ applications, including 0x, Rainbow Wallet, NFTX, Guild.xyz, StakeKit many others.