G GOPNIK ACADEMY
EVM 101 — XRPL-EVM Sidechain · Lesson 3 of 5

Contract approvals — the silent footgun

4 min · read

Back to course

The single most exploited pattern on EVM chains is token approvals. Understanding them protects more value than any hardware wallet ever will.

What an approval does

When you swap USDC for ETH on a DEX, the DEX contract needs to pull your USDC. ERC-20 tokens don't allow pulls by default; you must first approve the contract to spend an amount on your behalf.

You: USDC.approve(uniswap_router, 100 USDC)
You: uniswap_router.swap(USDC → ETH, amount=100 USDC)

Two separate transactions. The first is the approval; the second is the actual swap.

The footgun

Many wallets ask you to approve infinity (type(uint256).max) so you don't have to approve every time. This is what dApps usually suggest as the default.

When you sign that infinity approval:

  • You've handed the contract a license to drain all your USDC, any time in the future
  • If the contract is later upgraded to malicious code (some are upgradeable), it can call transferFrom on you immediately
  • If the contract's owner key is stolen, every user with an approval is at risk

The history

  • 2021 — Furucombo: $14M lost to a malicious contract upgrade against existing approvals
  • 2022 — Multichain bridge: $130M lost when a routing contract was compromised; users with approvals were drained
  • 2023 — LastPass breach → LeetSwap exploiter drained users via cached approvals
  • 2024 — Continued: Trezor phishing emails pointed at a fake "revoke" UI that added approvals instead of removing them

How to defend yourself

  1. Prefer time-limited or amount-limited approvals. If you're swapping €100 of USDC, approve exactly €100, not infinity.
  2. Revoke approvals you no longer need. Tools like revoke.cash list every approval on your address; bulk-revoke the unused ones.
  3. Audit before approving. Check the contract address on the block explorer. Is it verified? How old is it? Many users? If you can't find positive answers, don't approve.
  4. Don't trust UIs. A phishing dApp will ask for approvals against its address, then drain you. Verify the destination address in the wallet's signing prompt, not what the dApp says.

What the Gopnik wallet does

For iteration A:

  • The send form sends native ETH directly — no approvals required.
  • ERC-20 send flows always show the destination contract in plain text before signing.
  • Future iterations add a built-in approval manager (review + revoke approvals) and an allow-list of audited contracts the wallet flags as safe.

Approvals are not optional in the DeFi world — you have to grant some to do anything. The skill is knowing how much, to whom, and when to revoke.