If you are a deep DeFi user, you must have been tortured countless times by this cumbersome process. Whenever you use a new dApp, you need to authorize the dApp to spend your tokens.
– Authorization interface on Metamask –
By analogy with the traditional financial industry, this process is somewhat similar to direct debit, authorizing your electricity supplier to deduct electricity bills from your bank account every month.
However, unlike the cryptocurrency industry, the direct debit business in the traditional financial industry is only for a few trusted companies. Such companies are unlikely to deceive consumers. Even if they occasionally deceive consumers, consumers can also raise objections and let the bank act as a mediator. There are no such tools in the cryptocurrency industry. Some dApps are built by anonymous developers and there is no dispute mechanism for deceived users. Once the payment is completed on the blockchain, it cannot be reversed.
What is token authorization? How does it work?
Most tokens on the Ethereum blockchain, such as USDC and DAI, adopt the ERC20 standard. ERC20 tokens are actually smart contracts that contain different methods such as transferFrom and burn. The user calls these methods, and the application will perform corresponding operations on the tokens.
One of the methods is approve. Any dApp you want to use needs access to your ERC20 tokens to operate it. For example, if you want to deposit USDC in Aave, you first need to grant Aave dApp’s smart contract access to USDC, and then you can deposit USDC into Aave through the second transaction. You can see this authorization on your Ethereum wallet user interface. Although the amount of licenses available is theoretically flexible, most dApps will require unlimited licenses by default to simplify the user experience and minimize the number of transactions users need to make to use the application.
A security issue here is that most users think that their authorization is for a certain transaction and is limited, but in most cases, users actually grant dApp permanent access to a certain token they hold. Permission, and it is unlimited. Therefore, if the dApp has security issues or is malicious from the beginning, attackers can abuse this authorization to steal all authorized tokens held by the dApp user without the user’s consent. This attack can be launched at any time in the future, even after the user has used the dApp for several years.
How to protect yourself? The good news is that you can protect yourself from such threats. In the next section, we will discuss how to protect the security of your tokens when you use standard Ethereum wallets such as Metamask, and introduce some wallets that can interact with dApps through customized methods.
1. How to manually revoke token authorization
If you want to revoke authorization manually, you need to use a tool such as Token Allowance Checker. This type of tool can connect to your wallet and scan the entire blockchain to find all dApp authorizations related to your Ethereum address . Then, you can edit the authorization: set the available amount of authorization to 0 to cancel the authorization, or set it to an acceptable amount. The authorized modification is realized by interacting with each ERC20 token contract.
It is best to perform this process on a regular basis to cancel the authorization of dApps you no longer intend to use. Although this will cost you a little bit because every transaction needs to be settled on the chain, in the long run, your wallet will give you the return it deserves.
Recommendation: If you want to save gas costs, you can download the Gas Station Network extension plug-in to track the gas price on your browser. You can wait until the gas cost is lower before editing your license availability.
2. How does the next generation Ethereum wallet protect user funds
Some smart contract wallets that have been launched also have protection features. Smart contract wallets are highly flexible and can provide users with customized smart contract interaction methods. Therefore, many smart contract wallets have implemented customized authorization methods to improve user experience and security.
Native integration: Take Argent as an example
For example, Argent is a mobile Ethereum wallet that has integrated some core DeFi applications natively into the application so that users can borrow, earn revenue, and trade.
This type of wallet integrates these dApps from the smart contract level, and ensures that when users interact with these dApps, these dApps can only be authorized by the actual amount of requests. All this is done automatically in the background, so Argent users are not even aware of the existence of authorized transactions.
Argent x Wallet Connect
One disadvantage of native integration is that it is not scalable, just like Argent. It is impossible for applications to integrate every DeFi protocol natively. For most users, the currently integrated applications of Argent may be enough, but heavy DeFi users use more than a dozen different dApps every day, and don’t want to be limited to a few dApps.
A standard called WalletConnect can solve this problem. WalletConnect allows users to connect their mobile wallet to a web application and sign transactions securely through the mobile wallet. Argent has implemented WalletConnect integration and customization, allowing users to easily set the amount of authorization available (say goodbye to unlimited authorizations). In addition, if Argent users change their minds, they can cancel authorization for a dApp application in the Argent application with one click. Since most dApps support WalletConnect, this feature allows Argent users to enjoy extremely high security while exploring the entire DeFi field.
Bulk transactions and dApp keys: Take Authoreum as an example
Another smart contract wallet that can handle authorization gracefully is Authoreum. Authereum is based on the web and is supported by most Ethereum dApp applications. In addition, Authenticreum uses traditional email and password logins, so you can connect your wallet to the dApp in a few seconds. The user experience is similar to traditional applications without sacrificing security.
When a user needs to interact with a dApp, Authoreum will generate a new temporary dApp key, which is used to sign a specific dApp transaction. The dApp key can only perform limited functions, and Authoreum will perform some integrity checks. If the domain that initiated the request is not the domain where the dApp key is created, Authoreum can intercept the transaction or notify the user. Finally, these dApp keys can be deleted from the Authenticeum wallet at any time.
There are many other advantages to packaging multiple transactions into one transaction. One of the advantages is high efficiency-batch processing can save cost and time. Every ordinary transfer transaction on Ethereum requires 21,000 gas. If the user packs 10 transactions at once, a total of 189,000 gas can be saved. In addition, users can try to save time by sending continuous transactions.
The only problem with batch transactions is that dApps need to add some customized logic and UI processes to properly process transactions. So far, only a few dApps such as 1inch and Erasure support this transaction model, but we expect more dApps to support this transaction model in the future.
in conclusion
Token authorization has great security risks. If we want to improve the user experience and security of cryptocurrency applications, we obviously need to improve the token authorization function. Wallets such as Authereum and Argent can make dApp interactions more secure in innovative ways. Unfortunately, in many cases, this type of transaction model requires additional work from dApp developers, so users need to wait patiently for a while.
Standard Ethereum wallets that cannot adopt the above solutions should at least allow users to view and edit their dApp token authorization available amount. Tools such as token authorization check programs are convenient, but not every user knows them.
Original link:
https://cryptotesters.com/blog/token-allowances
Author: Emanuel Coen
Translation & Proofreading: Min Min & A Jian
