Frequently Asked Questions
- No. An "unlimited" approval only applies to the token or NFT collection that you gave an approval for. So if you gave an unlimited approval for your DAI, then all your DAI may be at risk, but none of your USDC. Similarly an "unlimited" approval for your Bored Apes does not impact your Cool Cats.
- No. Disconnecting your wallet (e.g. MetaMask) does not do anything to protect you from approval exploits - or most other exploits. The only thing that happens when disconnecting your wallet from a website is that that website cannot see your address anymore. But your approvals stay active.
- No. Banditproof is a preventative tool that helps you practice proper wallet hygiene. By regularly revoking active approvals you reduce the chances of becoming the victim of approval exploits. But unfortunately it cannot be used to recover any stolen funds. You should still make sure to revoke the approvals that were used to take your funds so that they cannot steal more in the future.
- If you have a so-called "sweeper bot" on your account that steals any ETH as soon as it comes in, your seed phrase was compromised. This means that revoking approvals is not going to help with your wallet security. Unfortunately, there is no way for your wallet to recover from this. You should abandon this wallet and create a new one.
- It is always hard to determine how exactly your funds were stolen. To help you diagnose the cause and mitigations, we developed an infographic that shows the most common ways that funds are stolen, which has been included below. Note that you may need to zoom in to see the details.
- No. In general, hardware wallets are much safer than mobile or browser-based wallets because the wallet's keys are securely stored on the device, making it impossible to steal the keys without proper access to the device. But with approvals no one needs to steal your keys to take your tokens. And because of that hardware wallets offer no extra protection against approval exploits.
- No. The way approvals work under the hood requires 1 transaction per approval. So it is technically impossible to revoke multiple approvals in a single transaction.
- Banditproof is provided as a free service, but every revoke transaction incurs a gas fee just like other blockchain transactions. This is usually quite cheap, but when gas fees rise it can get more expensive. If your transactions are not time sensitive, it may be wise to use services like GasHawk to reduce gas fees.
- In the tokens' smart contracts, the functions for approving and revoking approvals are the same function. The difference is that you set the approval to 0 (for ERC20 tokens) or "false" (for NFTs) when revoking the approval. You can verify that Banditproof is actually revoking the approval by clicking "Edit Permission" (for ERC20 tokens), or the "data" tab (for NFTs) in MetaMask.
- Revoking approvals has no impact on your deposited or staked tokens. These tokens will stay deposited and you will still be able to withdraw them. However, if you want to add more tokens to your deposited position, you will need to grant an approval again.
- Choosing which approvals to revoke is always a trade-off between safety and convenience. For certain well-known protocols (e.g. Uniswap) it is most likely fine to leave approvals active, but for newer and unknown smart contracts, it is more prudent to revoke approvals. Also keep in mind that some use cases require you to keep your approvals active. For example, if you have active listings on OpenSea you need to keep the approvals in order for the listings to remain active.
- The Banditproof browser extension supports every EVM network. The Banditproof website supports a large number of EVM networks including Ethereum, BSC, Polygon and Avalanche. The full list of supported networks can be seen in the network selection dropdown. If there are any other networks that you'd like to see supported, please reach out on Twitter or Discord.
- When searching for accounts in the search bar, you can use several different domain name services. Currently we support ENS, Unstoppable Domains and Avvy Domains. We may add other domain name services in the future.
- If you have any questions that aren't mentioned in this FAQ, please reach out on Twitter or Discord. You can also read about approvals in more detail in Rosco Kalis' blog post Unlimited ERC20 allowances considered harmful.