How to Secure Your Crypto Wallet with Revoke.cash?
While token approval enhances the DeFi experience, it can also be a gateway to asset loss. To circumvent such risks, specialized tools like Revoke.cash have been devised.
DeFi offers users control over their data. However, along with the advantages of decentralization, this approach demands secure interactions within the network ecosystem from its participants.
In blockchain, where there is no central authority, the security of transactions is maintained through smart contracts and other technical measures. The risk arises from vulnerabilities that can be present in the contract code.
The Ronin Network hack is one of the most significant DeFi cyber-attacks, leading to the theft of over $625 million in ETH and USDC. This incident happened two years ago, but similar attacks continue to occur. For instance, in November 2023, the decentralized exchange KyberSwap was hacked for $46 million.
Before exploring Revoke.cash, let's review four prevalent fraud types in the DeFi ecosystem:
- Seed Phrase Exposure: Scammers often use social engineering to trick users into revealing their crypto wallet's seed phrase. Once they acquire this critical information, they gain enduring access to the user’s assets. Regrettably, a wallet compromised in this manner is forever insecure.
- Disguised ETH Transactions: Fraudsters cunningly request an “eth_sign” signature, camouflaging it amidst other function calls. Signing such a transaction leads to the irreversible loss of funds, though the wallet remains usable.
- NFT Marketplace Deceptions: This type of scam involves tricking users into giving access to their NFTs, under the illusion of a sale or similar transaction.
- Token Approval Flaw: Decentralized platforms use token approvals to lessen transaction fees and streamline user interactions. However, if these platforms are hacked, the approvals can be seized by hackers, leading to a heightened risk of asset theft.
What is Token Approval?
The approve() function call. Source: revoke.cash
Token approval is also essential in NFT interactions. For instance, to trade on NFT marketplaces like OpenSea or Blur, you must give permission to transfer your assets. The same applies to crypto lending where you use an NFT as collateral.
As token approvals are conducted on the blockchain, they are treated like transactions. To record them in the blockchain ledger, users need to pay a fee. DeFi applications often set a high limit for token approvals to save users from incurring this fee with each asset transaction.
This method streamlines interactions within DeFi, sparing users from unnecessary fees. However, it bears a risk: if the smart contract is hacked, a user's token approval may end up in a fraudster's hands, granting them access to the user's assets.
Risks of Token Approval
Smart Contract Vulnerability: The most significant risk in token approval lies in the potential hacking of the smart contract you've authorized. Even leading market players are susceptible to such breaches. For example, a breach in a SushiSwap smart contract in April 2023 led to users losing $3.5 million.
Phishing: A type of fraud where malicious applications masquerade as legitimate ones. This often targets decentralized exchanges (DEXs), token claim websites, and platforms offering bonuses. In token approval, phishing manifests in two ways:
- Direct Approval to Fraudsters: Scammers coerce users into giving access to a smart contract that they control.
- NFT Marketplace Listings: Using social engineering techniques, fraudsters trick users into signing off approvals for selling their NFTs at 0 ETH.
To mitigate these risks, it's wise to regularly check the smart contracts to which you've granted access. This can be done through blockchain explorers or specific applications designed for this purpose, such as Revoke.cash.
An Overview of Revoke.cash
Revoke.cash: A Web3 Security Tool. Source: revoke.cash
Revoke.cash is a web3 security tool aimed at safeguarding users from the potential risks associated with DeFi interactions. This project, initiated in 2019 by enthusiast Rosco Kalis, is presented as a browser extension.
Revoke.cash Features:
- The capability to revoke token approvals.
- Updating the approved token amount.
- Alerts regarding potentially dangerous websites.
- Verification of smart contracts that the user engages with.
This extension informs users about the specifics of operations whenever they intend to grant access to a decentralized application. Users can customize the notification settings, including alerts for token approvals, NFTs, hash signature confirmations, and potential phishing activities.
Revoke.cash is most frequently used for revoking or adjusting the amount of token approval, especially in situations like:
- Engaging with a new DeFi application.
- Discontinuing active use of a DEX.
- Distrusting a particular platform.
There are circumstances, however, where maintaining token approvals is beneficial or necessary, such as when dealing with leading protocols like Uniswap or listing NFTs for sale, where token approval is a requisite.
Revoke.cash supports all EVM-compatible networks, encompassing Arbitrum, Polygon, Optimism, and others, as well as testnets like Goerly and Sepolia.
Testnets Supported by Revoke.cash. Source: revoke.cash
To withdraw token approvals using the Revoke.cash extension, follow these steps:
- Visit the Revoke.Cash website and connect your crypto wallet, like Metamask.
- Choose the network and the specific token for which you wish to withdraw approval.
- Select the "Cancel Permission" option and then confirm this transaction in your wallet.
Effectively, canceling means setting a new approval at a value of “0”. As such, you'll need a small amount of the network's tokens to cover the transaction fee.
Final Word
Security in the web3 space involves a comprehensive set of measures. Relying solely on Revoke.cash won't guarantee 100% safety, but it does help in significantly lowering the risk of potential asset theft.
Always keep your seed phrase confidential, engage only with trusted smart contracts, verify domains to avoid phishing, and spread your risks (using separate wallets for various activities). Prioritizing your security in advance is key to avoiding becoming a victim of fraud.
