Skip to contentSkip to site index
Sign up and get crypto
Coinbase Logo

Language and region

Sign up and get crypto
Coinbase Logo

Security PSA: Infinite Token Approvals

Tl:dr

  • Avoid giving infinite token approvals.

  • Regularly review and revoke unnecessary token approvals.

  • Follow the best practices outlined in this article to protect yourself.

By Coinbase’s Trust & Safety Team

, August 7, 2024

, 2min read time

Screenshot 2024-08-07 at 2.52.05 PM

Coinbase's Trust & Safety team has identified infinite token approvals as a rising threat in the Web3 ecosystem, for example the $11 million LI.FI protocol exploit. While infinite approvals offer convenience, they can pose significant security threats if not managed properly. This blog outlines risks and provides actionable steps to safeguard your assets.

Understanding Infinite Token Approvals

Infinite token approvals allow a smart contract to spend an unlimited number of your tokens without requiring further authorization. This feature streamlines frequent interactions with decentralized applications (dApps), but can leave your assets vulnerable if the approved contract is compromised. Since 2020, over $405 million has been stolen through approval exploits (source: revoke.cash).

Example Scenario

An attacker identifies a vulnerability in a smart contract that has been granted infinite approval by numerous users. By exploiting this vulnerability, the attacker can drain an unlimited number of tokens from affected users' wallets. Refer below for a high level flow of this exploit.

Screenshot 2024-08-07 at 2.54.21 PM

How to Protect Yourself

To mitigate the risks associated with infinite token approvals, we recommend the following best practices:

  • Regularly Review and Revoke Token Approvals: Periodically check your wallet for active token approvals and revoke any that are no longer necessary. Tools like Revoke.cash can help you manage and revoke approvals easily.

  • Use Transaction Previews: When available, use transaction preview features to view the outcome of your transactions before signing. This can help identify suspicious activities or unexpected changes in token balances.

  • Verify Contract Legitimacy: Verify the legitimacy of a contract or dApp before granting any approvals. Scanning tools like De.Fi can help you identify potential risks and gauge legitimacy.  Be wary of unknown or untrusted contracts.

Conclusion

The convenience of infinite token approvals comes with significant risks. By following the steps outlined in this PSA, you can substantially reduce the risk of losing your tokens through compromised approvals. Remember, in the world of Defi, security should always take precedence over convenience. 

Coinbase logo

Engineering

Recent Stories

Orange hero asset (3).png

Company,

Jul 11, 2025,

2 minutes read time

Moving markets onchain: Welcoming Opyn Markets to Coinbase

The Opyn Markets leadership team is joining Coinbase. Their experience building decentralized products will accelerate our efforts to bring more of the financial system, including more of our business, onchain.

Your paragraph text.png

Institutional,

Jul 10, 2025

Increasing Engagement and Rising Allocations: Research on EU and UK Institutional Investors Shows Plans to Increase Allocations in 2025

TLDR: Institutional Investors in the EU and UK plan to increase their allocations to digital assets in 2025, according to research conducted by Coinbase and EY-Parthenon.

Screenshot_2024-11-12_at_12.09.28_PM.avif

Company,

Jul 8, 2025,

3min read time

Consumer Protection Tuesday: Coinbase launches a new $5M bug bounty program exclusively focused on onchain vulnerabilities