New year community advice: Check your smart contract approvals
On the back of the worst year for crypto hacks and exploits, the crypto community has given some advice to newbie investors going into 2023 — check your smart contract approvals and revoke access regularly.
Reddit user 4cademy posted their advice to the r/CryptoCurrency subreddit on Jan. 1, noting that they had approved a slew of smart contracts over a two-year period and “thought it was time to check my approved smart contracts.”
They found “nearly all” of their approvals were for “unlimited amounts," which spurred them to revoke approvals for all smart contracts in their wallet as it was “better safe than sorry,” and advised:
“You should at least check your approvals too and possibly revoke them.”The reason to do this, the user said, is that some users of Decentralized Finance (DeFi) or nonfungible token (NFT) protocols could have mistakenly approved malicious smart contracts from phishing attempts that could be lying in wait to steal user funds.
Such ice phishing scams have been successful in the past, with one such elaborate month-long scam involving an offering from a fake film studio leading to 14 Bored Ape Yacht Club (BAYC) NFTs stolen from a single wallet.
Even known “good-behaving” contracts should be revoked as hackers could find exploits to pilfer funds from connected wallets.
The 10 largest exploits in 2022 saw around $2.1 billion stolen mostly from DeFi protocols and cross-chain bridges where attackers found vulnerabilities in existing smart contracts to carry out their heists.
Related: Developers need to stop crypto hackers or face regulation in 2023
The user offered up further advice saying to “use different wallets for different purposes” such as having a wallet that only interacts with smart contracts and another that doesn’t which is used for the sole purpose of holding funds.
Users commenting on the post also suggested that one could schedule a reoccurring interval to revoke all smart contract approvals, such as on the 1st of every month or even at the start of every week.
Others suggested there were third-party services that could check and revoke smart contract approvals across a number of chains, including Binance Smart Chain (BSC), Ethereum and Polygon.
One user responded that the “best” advice was to interact with as few smart contracts as possible saying “revoking permissions is good practice but not giving permissions in the first place is better.”