Skip to Content
TracingERC-20 Approvals: The Forgotten Attack Surface

ERC-20 Approvals: The Forgotten Attack Surface

concept

Core idea

An ERC-20 approve grants a spender address permission to move tokens. Many scams trick users into granting unlimited approvals, then drain the wallet later, so the approval, not the drain transaction itself, is often the proximate cause of a theft.

Components

  • When investigating a theft, always check the victim’s Approval events in the window before the theft. An approval to an unrecognised address, minutes before a drain, is typically the proximate cause.
  • Revoke.cash enumerates live approvals for any address; include revocation as a protective remediation step even after the trace is done.

When to use

Early in any theft/drain investigation (before or alongside fund tracing), and during victim remediation to close ongoing exposure.

Example

A victim’s wallet shows an Approval event granting unlimited USDT allowance to an unrecognised spender minutes before the drain, that approval is the proximate cause, and Revoke.cash is used to revoke any remaining live approvals.

EVM Event Logs & Decoding Calldata, EVM Proxies: Read the Right Source, View a Wallet’s Exposure with impersonator.xyz

Last updated on