Metamask Approval Hygiene

With the latest Badger exploit let's talk about Metamask approval hygiene.

1. Know what you are approving

Check the approved address yourself.
Do not trust the site's UI. Take the address manually from the metamask data and look at the contract on Etherscan.
If you are on another network you may want to use Polygonscan, BSCscan, Solscan or the blockexplorer for your network.

image image

Things to pay attention to at this point.
  • Is the contract brand new?
  • Who deployed it?
  • Where did the funds come from to the deployer
  • Is it a proxy?

2. Know how much you are approving

Never approved more than you plan to use.
You can always approve more in the future.


Yes, it costs a few $ more, but so is psychological help once you will get rugged.


3. Approvals are per token

So if you approved WETH on some shady contract only your WETH is at risk due to that approval, none of your other tokens.

4. Be extra tight with your approvals on proxies

You are not only approving the current implementation, you are also approving the next implementation, and the next implementation, and the next implementation...
This means that if the code is changed, your approval will still be valid, you need to be really careful here.

5. Periodic review of all your approvals

Go over each approval and verify if it makes sense. If not, revoke it.
If there is a lot of stuff you are unsure about, see what is less of a hassle, revoking all the odd approvals or migrating all tokens to a fresh address.
You can use Etherscan's, Polygonscan's or BSCscan's token approval checker, at the time of writing, there is no equivalent service for Solana.
There is no need to revoke tokens you don't hold anymore and don't plan to use in the future.

6. You should have a good reason for doing an infinite approval

It should not be your default!

Not sure what an infinite approval looks like?
It looks like this:


Stay safe out there apes.

Created by 0xPUFLER (0xAFFE6a78BD3F014Da114C327a48BBEC8CbcFbF3F)
Contribute on GitHub
Taken from CryptoCatVC's Tweet