VULTBASEIntelligence Platform
All Articles

Best Practices

Secure Token Approval Patterns: Preventing Approval Exploits in DeFi

Kennedy OwiroOctober 21, 20257 min read

When you "approve" a DeFi protocol to spend your tokens, you're giving it permission to move your funds — potentially forever. Infinite approvals are the default UX but a security nightmare. If the protocol is exploited, the attacker inherits all approved allowances. Over $1 billion in approved allowances sits vulnerable on Ethereum right now.

The Problem With Infinite Approvals

// What most DeFi frontends do:
token.approve(protocol, type(uint256).max);  // Approve UNLIMITED spending

// What happens when protocol gets hacked:
// Attacker calls: token.transferFrom(yourWallet, attacker, yourEntireBalance)
// Your tokens are gone — even tokens deposited AFTER the approval

Approval Attack Vectors

  • Protocol Exploit: Hacker gains control of approved contract → drains all approved wallets
  • Approval Phishing: Malicious dApp tricks user into approving attacker's contract
  • Frontrunning: When changing an approval, previous allowance can be spent first

Secure Approval Patterns

1. Exact Approvals (Not Infinite)

// Approve only the exact amount needed
token.approve(protocol, exactAmount);  // Not type(uint256).max

2. EIP-2612: Permit (Gasless Approvals)

// User signs an off-chain message instead of an on-chain tx
// Approval and spend happen atomically — no window for exploitation
function depositWithPermit(
    uint256 amount, uint256 deadline, uint8 v, bytes32 r, bytes32 s
) external {
    token.permit(msg.sender, address(this), amount, deadline, v, r, s);
    token.transferFrom(msg.sender, address(this), amount);
}

3. Permit2 (Uniswap)

Uniswap's Permit2 acts as a universal approval manager: approve Permit2 once, then grant time-limited, amount-limited sub-approvals to individual protocols.

4. Approval Hygiene

  • ✅ Revoke unused approvals regularly (revoke.cash, etherscan token approvals)
  • ✅ Set approvals to exact amounts, not unlimited
  • ✅ Use Permit/Permit2 for atomic approve-and-spend
  • ✅ Zero out approvals after operations when possible

For Protocol Developers

  • ✅ Support Permit (EIP-2612) for gasless approvals
  • ✅ Support Permit2 for enhanced approval security
  • ✅ Don't request infinite approvals from your frontend
  • ✅ Clear unused approvals in your contracts when operations complete

Token approvals are an often-overlooked attack surface. Audit your approval handling to protect your users.

token approvalERC-20 approvepermitpermit2DeFiallowance
Share

Written by

Kennedy Owiro

Founder & CTO, Vultbase

14+ years building security and QA systems at scale. Background in fintech security and Web3 smart contract testing. Built Vultbase's Intelligence Engine with 1,200+ exploit patterns from $40B+ in historical DeFi losses.

Related Articles

Smart Contract Security

Reentrancy Attacks Explained: How DeFi Lost Billions and How to Prevent It

12 min read

DeFi Security

Oracle Manipulation: How Price Feed Exploits Drain DeFi Protocols

11 min read

DeFi Security

MEV and Frontrunning: The Invisible Tax on Every DeFi Transaction

10 min read

Protect your protocol before launch.

Submit your smart contracts for automated security analysis powered by 1,200+ real exploit patterns.

Start Your Audit →