On a quiet Tuesday in March 2024, a DeFi trader lost $1.4 million in under 90 seconds. No phishing link. No malicious download. No compromised seed phrase. The attacker used a token approval the trader had granted eight months earlier and completely forgotten about.
This is not a rare event. Approval-based exploits are the single most common attack vector in DeFi, responsible for over $3 billion in cumulative losses. And every one of them follows the same basic pattern.
The Setup: How Approvals Become Weapons
Every time you interact with a DeFi protocol, you grant it a token allowance — permission to move a specific token from your wallet. Most protocols request unlimited approval to save you gas on future transactions. This is the norm, not the exception.
The allowance persists indefinitely. It does not expire. It does not reduce when you stop using the protocol. It sits in the blockchain’s state, waiting.
An attacker needs only one of these conditions to exploit it:
- The approved contract has an unpatched vulnerability. A bug in the contract’s logic allows the attacker to call
transferFromon your tokens through an unintended code path. - The contract is upgradeable and gets hijacked. The admin key is compromised, and the attacker upgrades the contract to include a drain function. Your existing approval now authorises a completely different piece of code.
- You approved a malicious contract directly. A phishing site mimicked a legitimate dApp. The approval you granted goes to an attacker-controlled contract that can drain you at any time.
The Kill Chain: Step by Step
Here’s how a typical approval exploit unfolds:
Step 1: Reconnaissance
The attacker scans the blockchain for wallets with high-value token balances that have active unlimited approvals to a target contract. This data is entirely public. Anyone can query it.
Step 2: Trigger
The attacker exploits the contract vulnerability or submits a malicious upgrade. The contract’s behaviour changes, but every existing approval remains valid.
Step 3: Drain
The attacker calls transferFrom on every approved wallet, sweeping tokens to their own address. This happens programmatically — hundreds of wallets can be drained in a single block.
Step 4: Exit
The stolen tokens are swapped through DEXs and bridged across chains within minutes. By the time the exploit is noticed, the funds are being laundered through mixers or cross-chain bridges.
The entire sequence, from trigger to exit, typically takes less than 10 minutes.
Real-World Examples
| Exploit | Date | Loss | Root cause |
|---|---|---|---|
| Multichain (Anyswap) | Jul 2023 | $126M | Compromised admin keys triggered withdrawals via existing approvals |
| Badger DAO | Dec 2021 | $120M | Injected malicious approval requests via compromised frontend |
| Transit Swap | Oct 2022 | $21M | Contract vulnerability allowed arbitrary transferFrom calls on approved tokens |
In every case, the users had done nothing wrong at the time of the exploit. The approvals were granted during legitimate use of the protocol. The vulnerability came later.
The Defence: Limiting Your Blast Radius
You cannot prevent a protocol from being hacked. But you can limit what a hack can take from you:
- Revoke approvals you’re not actively using. If you haven’t interacted with a protocol in 30 days, revoke its allowance. The gas cost of re-approving later is trivial compared to losing your tokens.
- Avoid unlimited approvals when possible. Some wallets and dApps let you set a custom approval amount. Approve only what you need for the current transaction.
- Audit regularly. Use AllowanceGuard to scan your wallet on a weekly or monthly cadence. Make it a habit, not a reaction.
- Segment your wallets. Keep your long-term holdings in a wallet that never interacts with dApps. Use a separate “burner” wallet for DeFi activity, funded only with what you can afford to lose.
- Watch for governance changes. If a protocol you use announces a contract upgrade or admin key rotation, review your approvals immediately.
The Uncomfortable Truth
Every unlimited approval is a contingent liability. It’s a signed cheque with the amount left blank, held by a third party whose security you don’t control. Most of the time, nothing happens. But when something does, the losses are total and instant.
The traders who lost $3 billion to approval exploits didn’t make a mistake on the day they were drained. They made the mistake months or years earlier, when they granted an approval and forgot about it.
Don’t be the next case study. Audit your approvals today.