Skip to content
AllowanceGuard
Back to Blog
SecurityApril 14, 2026 · 6 min read

NFT Approvals: The setApprovalForAll Trap

The one function that can drain your entire collection.

nftsetapprovalforallerc-721erc-1155marketplaces

When you list an NFT on a marketplace, you sign something called setApprovalForAll. It’s the NFT equivalent of an ERC-20 token approval — but with a crucial difference. Instead of approving a specific amount of a specific token, you’re giving a contract permission to transfer every NFT you own or will ever own from a specific collection.

Most NFT holders click through this approval without thinking. Then they wonder how their Bored Ape got stolen while they were asleep.

What setApprovalForAll Actually Does

The ERC-721 and ERC-1155 standards define setApprovalForAll(operator, approved). When you call it with approved = true, the operator address can move any NFT in that collection you hold — now or in the future. No per-token check. No amount limit. Total control.

Compare this to ERC-20’s approve(spender, amount): you can set a specific spending cap, and you can approve a much smaller amount than you hold. With NFTs, it’s all or nothing. The function only accepts a boolean.

Why It’s Dangerous

Every major NFT marketplace (OpenSea, Blur, LooksRare, X2Y2) needs setApprovalForAll to function. You grant it once per collection, and every future listing uses the same approval. That’s efficient. It’s also what makes it catastrophic when things go wrong.

Three failure modes in the past three years:

  • Compromised marketplace contracts. If the marketplace contract is exploited, every user who has ever listed an NFT on it is at risk — not just the active listings.
  • Phishing sites. A fake OpenSea clone asks you to "verify" your listing. You sign a setApprovalForAll approving a malicious contract. Your entire collection is drained.
  • Malicious upgrades. Some marketplace proxies can be upgraded by an admin key. If that key is compromised, the contract you approved becomes a contract controlled by the attacker.

The Attack You Don’t See Coming

The most insidious version: you signed a setApprovalForAll to a marketplace a year ago. The marketplace shut down. You forgot about it. An attacker buys the abandoned contract address or discovers a stale admin key. They drain every collection that still has active approvals to that contract. Your approval is still live. You signed it and walked away.

This is the stale approval problem specific to NFTs. Unlike ERC-20 tokens where you might spot a drained balance, NFTs sit silently in your wallet until the moment they don’t.

How to Protect Yourself

  • Audit your NFT approvals quarterly. Separately from ERC-20 approvals. Scan each collection for active setApprovalForAll grants and revoke any to marketplaces you no longer use.
  • Revoke after selling out. Once you’ve sold the last NFT in a collection, revoke the marketplace approval. You can always re-grant it if you come back.
  • Use a separate wallet for minting and trading. Keep long-hold NFTs in a cold wallet that has never signed setApprovalForAll to any marketplace. Only your active trading wallet carries the risk.
  • Watch for upgradeable contracts. If a marketplace announces an upgrade or admin key rotation, revoke your approvals and re-grant to the new contract if you trust it.
  • Check both standards. ERC-721 and ERC-1155 both use setApprovalForAll. A scan that only checks ERC-20 approvals will miss these entirely.

The Rule

Every setApprovalForAll you’ve ever signed is a persistent permission on an entire collection. Treat each one like a signed cheque with your whole NFT collection as collateral. Review them. Revoke the ones you don’t need. The one you forgot about is the one that drains you.

Take control of your approvals.

AllowanceGuard scans your wallet for risky token permissions and helps you revoke them — free, open source, non-custodial.

Join the waitlistRead the docs
Allowance Guard