Limit Allowances

Limit allowances to DApps.

One of the riskiest ways smart contracts work with wallets in the EVM ecosystem is that they require an allowance from a wallet to perform actions on its behalf. For example, in the case of a currency swap, the owner of a wallet grants allowance to the DApp to pull the token it requires. Then the DApp can sweep the token and send back the second part of the swap pair in the same transaction (atomic operation).

In the general EVM ecosystem, once the protocols require such an approval from the wallet, they ask for an unlimited amount, meaning that they can sweep any amount of this token from the wallet (up to the available balance, of course). If the DApp has been hacked or is malicious, the wallet is essentially exposed to a scenario where the entire balance of the token can be swept by the DApp. This makes unlimited allowance one of the most popular attacks on wallets participating in DeFi.

Fordefi, understanding this risk, lets you modify the allowance just before you approve a DApp to use it.

Edit an allowance for a DApp

When you are interacting with a DApp, before you sign the action itself, the extension pops up with a request to sign the allowance. Note the warning that the allowance requested is unlimited. Don't click Create yet.

  1. In the Allowance amount area, click Edit. Then, deselect the Set Unlimited check box.
  1. In the field that is displayed, specify a limit. Then, click Update amount.

The extension updates to display the limited allowance:

  1. Now, click Create to proceed safely with the request to sign the allowance.