New year community advice: Check your smart contract approvals

Published at: Jan. 2, 2023

On the back of the worst year for crypto hacks and exploits, the crypto community has given some advice to newbie investors going into 2023 — check your smart contract approvals and revoke access regularly.

Reddit user 4cademy posted their advice to the r/CryptoCurrency subreddit on Jan. 1, noting that they had approved a slew of smart contracts over a two-year period and “thought it was time to check my approved smart contracts.”

They found “nearly all” of their approvals were for “unlimited amounts," which spurred them to revoke approvals for all smart contracts in their wallet as it was “better safe than sorry,” and advised:

“You should at least check your approvals too and possibly revoke them.”

The reason to do this, the user said, is that some users of Decentralized Finance (DeFi) or nonfungible token (NFT) protocols could have mistakenly approved malicious smart contracts from phishing attempts that could be lying in wait to steal user funds.

Such ice phishing scams have been successful in the past, with one such elaborate month-long scam involving an offering from a fake film studio leading to 14 Bored Ape Yacht Club (BAYC) NFTs stolen from a single wallet.

Even known “good-behaving” contracts should be revoked as hackers could find exploits to pilfer funds from connected wallets.

The 10 largest exploits in 2022 saw around $2.1 billion stolen mostly from DeFi protocols and cross-chain bridges where attackers found vulnerabilities in existing smart contracts to carry out their heists.

Related: Developers need to stop crypto hackers or face regulation in 2023

The user offered up further advice saying to “use different wallets for different purposes” such as having a wallet that only interacts with smart contracts and another that doesn’t which is used for the sole purpose of holding funds.

Users commenting on the post also suggested that one could schedule a reoccurring interval to revoke all smart contract approvals, such as on the 1st of every month or even at the start of every week.

Others suggested there were third-party services that could check and revoke smart contract approvals across a number of chains, including Binance Smart Chain (BSC), Ethereum and Polygon. 

One user responded that the “best” advice was to interact with as few smart contracts as possible saying “revoking permissions is good practice but not giving permissions in the first place is better.”

Tags
Related Posts
Immunefi partners with Binance Smart Chain on bug bounties to secure BSC projects
Immunefi, a security service outfit that specialized in decentralized finance (DeFi) projects, has inked a collaboration with the Binance Smart Chain. According to a release issued on Friday, Immunefi will work in collaboration with BSC to improve the security of projects on the Binance chain. As part of the partnership, ethical hackers who take part in a campaign to discover vulnerabilities in BSC-based projects will earn rewards. As a security outfit, Immunefi has reportedly paid more than $3 million in bug bounties to ethical hackers. Major BSC protocols such as PancakeSwap, DODO, and Zapper among others are already deploying the …
Blockchain / July 9, 2021
Can Web3 be hacked? Is the decentralized internet safer?
Web3 came into existence posed as a blockchain-powered disruption to the current state of the internet. Yet, as a nascent technology, a fog of assumptions plagues discussions about the real capabilities of Web3 and its role in our day-to-day lives. Considering the promise of a decentralized internet using public blockchains, a complete transition to Web3 would require scrutiny across several factors. Out of the lot, security stands as one of the most crucial features as, in a Web3-powered world, tools and applications hosted over the blockchains go mainstream. Smart contract vulnerabilities While the blockchains that host Web3 applications remain impenetrable …
Adoption / Aug. 21, 2022
Wintermute inside job theory 'not convincing enough' —BlockSec
Blockchain security firm BlockSec has debunked a conspiracy theory alleging the $160 million Wintermute hack was an inside job, noting that the evidence used for allegations is “not convincing enough." Earlier this week cyber sleuth James Edwards published a report alleging that the Wintermute smart contract exploit was likely conducted by someone with inside knowledge of the firm, questioning activity relating to the compromised smart contract and two stablecoin transactions in particular. BlockSec has since gone over the claims in a Wednesday post on Medium, suggesting that the “accusation of the Wintermute project is not as solid as the author …
Blockchain / Sept. 28, 2022
Google Ads-delivered malware drains NFT influencer’s entire crypto wallet
An NFT influencer claims to have lost “a life-changing amount” of their net worth in nonfungible tokens (NFTs) and crypto after accidentally downloading malicious software found in a Google Ad search result. The pseudo-anonymous influencer known on Twitter as “NFT God” posted a series of tweets on Jan. 14 describing how his “entire digital livelihood” came under attack including a compromise of his crypto wallet and multiple online accounts. Last night my entire digital livelihood was violated. Every account connected to me both personally and professionally was hacked and used to hurt others. Less importantly, I lost a life changing …
Blockchain / Jan. 16, 2023
Hope Finance exploit results in $2M stolen from users' funds
Prospective users of an Arbitrum-based decentralized finance (DeFi) project have been left out of pocket following a $2 million exploit. Web3 security firm CertiK flagged the incident on Feb. 21, following an announcement from the Hope Finance Twitter account notifying users that they had been scammed. #CommunityAlert @hope_fin have announced the community has been scammed for ~$2m making this the largest #exitscam on Arbitrum in 2023. $1.86m was transferred to @TornadoCash. Hope_fin have posted steps for user's to withdraw their staked LPhttps://t.co/hJbFXiKujt — CertiK Alert (@CertiKAlert) February 21, 2023 Details of the project are difficult to come by. The platform’s …
Blockchain / Feb. 21, 2023