A Reddit user warned of the risks of unchecked smart contracts, advising the community to rescind approvals on a regular basis.
Following the worst year for crypto hacks and exploits, the crypto community has issued some advice to newbie investors for 2023: regularly check smart contract approvals and revoke access.
On January 1, Reddit user 4cademy advised the r/CryptoCurrency subreddit that they had approved a slew of smart contracts over a two-year period and “thought it was time to check my approved smart contracts.”
They discovered that “nearly all” of their approvals were for “unlimited amounts,” prompting them to revoke approvals for all smart contracts in their wallet because it was “better safe than sorry,” and advised others to “at least check your approvals and possibly revoke them.”
According to the user, the reason for doing so is that some users of decentralised finance (DeFi) protocols or nonfungible tokens (NFTs) may have mistakenly approved malicious smart contracts from phishing attempts that are waiting to steal user funds.
Such ice phishing scams have previously been successful, with one elaborate month-long scam involving an offering from a fake film studio resulting in 14 Bored Ape Yacht Club (BAYC) NFTs stolen from a single wallet.
Even well-known “good-behaving” contracts should be revoked because hackers may find ways to steal funds from connected wallets.
Around $2.1 billion was stolen in 2022 from DeFi protocols and cross-chain bridges, where attackers found vulnerabilities in existing smart contracts to carry out their heists.
The user went on to advise to “use different wallets for different purposes,” such as having one wallet that only interacts with smart contracts and another that doesn’t and is only used to hold funds.
Users who commented on the post also suggested that all smart contract approvals be revoked on a recurring basis, such as on the first of every month or even at the start of every week.
Others proposed third-party services to check and revoke smart contract approvals across multiple chains, including BNB Smart Chain, Ethereum, and Polygon.
According to one user, the “best” advice is to interact with as few smart contracts as possible, and that “revoking permissions is good practise, but not giving permissions in the first place is better.”
