ERC-20 Approvals: The Forgotten Attack Surface
concept
Core idea
An ERC-20 approve grants a spender address permission to move tokens. Many scams trick users into granting unlimited approvals, then drain the wallet later, so the approval, not the drain transaction itself, is often the proximate cause of a theft.
Components
- When investigating a theft, always check the victim’s Approval events in the window before the theft. An approval to an unrecognised address, minutes before a drain, is typically the proximate cause.
- Revoke.cash enumerates live approvals for any address; include revocation as a protective remediation step even after the trace is done.
When to use
Early in any theft/drain investigation (before or alongside fund tracing), and during victim remediation to close ongoing exposure.
Example
A victim’s wallet shows an Approval event granting unlimited USDT allowance to an unrecognised spender minutes before the drain, that approval is the proximate cause, and Revoke.cash is used to revoke any remaining live approvals.
Related
EVM Event Logs & Decoding Calldata, EVM Proxies: Read the Right Source, View a Wallet’s Exposure with impersonator.xyz
Last updated on