Security has remained one of the biggest topics of conversation in the blockchain community over the last few months. A couple of hacks and attacks saw more than $1 billion wiped out from DeFi protocols in 2022. Sadly, October and November recorded some of the biggest moves by criminals.
Earlier this month, a Bitcoin Core developer took to social media to state that he lost over $3 million after his PGP key was compromised. The situation revived old fears about security and raised fresh questions about the best approach an average user can adopt to safeguard their assets. This article will explore how to revoke smart contracts on MetaMask. We have another article offering further security insights.
PSA: My PGP key is compromised, and at least many of my bitcoins stolen. I have no idea how. Help please. #Bitcoin
Smart contracts are digital contracts or programs stored on a blockchain that automatically execute when certain predetermined conditions are met. They simply automate the execution of an agreement. This way, all participants are certain of the outcome without any time loss or third-party involvement.
Smart contracts enable trusted agreements and transactions among anonymous parties without the need for a legal system, a central authority, or an external enforcement mechanism.
Everything is compromised.
What Do You Need to Revoke Permissions For?
Users often have to permit smart contracts to use their assets in order to swap tokens, supply liquidity to liquidity pools, stake, or engage with farms. The image below shows how the permission request for a farming pool looks when using MetaMask.
Crypto users have lost a fortune because they were unaware that malicious developers had installed backdoors in smart contracts. Such platforms usually request the user’s permission before allowing them to spend an unlimited amount of tokens. Audited platforms have increased security. However, newly launched DeFi projects that have not been reviewed or audited are prone to hacks.
Totally agree! I had thousands of @HEXcrypto staked, and one day someone decided to unstake and clean me out. I’m mind blown at how simple it is for Exploiters out there 😫
— ⓧ Jon Theory 👑 (@Xenfluencer) January 2, 2023
Malicious developers are able to control users’ tokens by exploiting backdoors they have created in smart contracts once a platform has allowed unlimited permissions to spend the users’ tokens. The hacker has access even if the user has already withdrawn their tokens from the platform. The fraudulent developers simply proceed to withdraw the users’ tokens into their own wallets.
Keep in mind that hackers are actively looking for weaknesses in the smart contracts of well-known DeFi platforms. What happened to Bancor is a good example of this.
An OpenSea Example
Let’s look at how this works on platforms like OpenSea. In one of the phishing attacks on OpenSea, the attacker leveraged the planned upgrade to a new smart contract. As usual, users rushed to upgrade to the latest smart contract, giving the attacker his golden moment.
The attacker manipulated 17 users to sign fraudulent payloads. So, the hacker used this to buy the victims’ NFTs for 0 ETH. Here’s the thing to learn here: Crypto users always grant dApps unlimited access to their wallets. And this puts everything at risk.
For example, users have to grant OpenSea permission to list, access, and transfer the NFTs in their wallet before they can trade NFTs on OpenSea. So, if the smart contracts of the dApps they have interacted with are attacked, there’s a possibility that the attacker can withdraw tokens from the connected wallet. This explains the popularity of crypto hacks.
It is advisable to routinely review the smart contracts or dApps that you have permitted to carry out sensitive transactions on your behalf. The rights granted to dApps that you no longer trust or those that are undergoing smart contract updates must be revoked.
Additionally, it is also a good idea to review dApps that you have not used lately. Anytime you want to resume using the permissions, you can simply re-sign them. These actions will increase your security. Now, let’s look at revoking smart contract permissions.
Revoking Permissions on MetaMask
Since almost everyone uses MetaMask, we’ll show you how to revoke smart contract permissions. It is important to know that there’s a cost attached to revoking permissions. The process requires a gas fee.
Here are the steps:
- Go to the block explorers for the dApp networks you use. So, Ethereum users will visit Etherscan, while Polygon users will use Polygonscan. Those using BSC-based dApps should head to BSCscan. We’ll use Etherscan for this article.
2. Head to the Approval Checker section on the explorer. Then, click on “Connect to Web3,” which leads to the “Choose a Wallet” window. This window is where you choose the MetaMask option. Then, connect your wallet to the portal. Your MetaMask wallet has to be online for a successful connection.
3. Once connected, search for the token approval you wish to revoke. You can view the smart contracts that have permission to either access each token in your wallet or submit transactions on your behalf for each one. Here, you can choose the particular approval you want to revoke.
4. Then, select “Revoke” to reverse the token approval. You’ll start a signature request in your wallet if you do that. To finish the process, accept this request and pay the necessary gas fee.
While interacting with dApps, you can also control how each token is approved. This is possible when using specific dApp functions or approving transactions. It is better to choose a custom spending restriction when authorizing transactions rather than allowing unlimited spending limits.
For custom limits, click on “Edit Permission” whenever your MetaMask wallet requests approval of a transaction. Then, in the Custom Spending Limit section, enter the spending cap you desire. This prevents the dApp from accessing or conducting transactions exceeding the spending limit you specified.
⬆️ For more cryptocurrency news, check out the Altcoin Buzz YouTube channel.
⬆️ Our popular Altcoin Buzz Access group generates tons of alpha for our subscribers. And for a limited time, it’s Free. Click the link and join the conversation today.