How to Revoke Wallet Permissions: The EVM Security Audit Everyone Should Run

Here is an uncomfortable truth: every time you have used Uniswap, Aave, OpenSea, or nearly any other DeFi protocol, you likely signed token approvals that persist indefinitely on the blockchain. Long after you stopped using an app, those permissions remain active, leaving your assets exposed to smart contract exploits. A forgotten approval from two years ago could drain your account today without any warning. The good news is that this is fixable in under five minutes.

What Is a Token Approval?

When you interact with a DeFi protocol, you authorize its smart contract to move tokens from your wallet. This is a required step for swapping, borrowing, or providing liquidity.

The problem is that most protocols default to requesting unlimited access, meaning the smart contract can move any amount of that token, forever. These approvals live on-chain permanently. Deleting the app, clearing your browser cache, or moving funds elsewhere does NOT remove them.

NFT marketplaces use a function called setApprovalForAll, which grants a contract access to your entire NFT collection with a single click. For more on protecting those assets, see our guide on how to securely store your NFTs.

As a non-custodial wallet user, managing these permissions is entirely your responsibility.

Why This Is a Real Risk

If a smart contract you approved gets exploited, attackers can drain your tokens using your existing permission, with no further action needed from you. No new transaction, no prompt, no warning. Your wallet can be emptied while you sleep.

According to Scam Sniffer, over $84M was lost to crypto phishing and drainer attacks across EVM chains in 2025. The attack pattern is straightforward: a user visits a malicious site, signs one approval, and their portfolio is drained within seconds.

The critical point: you do not need to be actively using a protocol for the risk to remain. One forgotten approval from two years ago is enough.

Note that Permit and Permit2 signatures are a separate approval type that standard checkers may not catch; Etherscan's Permit signature checker covers these specifically.

How to Run the Audit (Step by Step)

Use a wallet approval checker such as Revoke.cash or Etherscan's Token Approval Checker. Here is how:

• Step 1: Open your approval checker and connect your wallet address. Note that EVM means checking separately for each network. Your Ethereum mainnet approvals are separate from those on Base, Arbitrum, Optimism, and Polygon. Check each chain you use.
• Step 2: Connect your wallet. This is a read-only connection; your private keys never leave your device.
• Step 3: Review your approvals list. Note the protocol name, the amount authorized (flag anything marked "Unlimited"), and the last active date.
• Step 4: Revoke the risky ones. Each revocation is an on-chain transaction requiring a small gas fee in ETH, typically under $0.10 on Layer 2 networks like Base or Arbitrum, and higher on Ethereum mainnet.

What to Revoke First

Use this table to prioritize:

Priority	Approval Type	Action
Revoke now	Unlimited approval to unknown or inactive protocol	Revoke immediately
Revoke soon	Unlimited approval to reputable but unused protocol	Revoke when gas is low
Review	Limited (fixed-amount) approval to unused protocol	Revoke if no longer needed
Keep	Approval to a protocol you use regularly	Consider switching to a limited amount

Approve Smarter Going Forward

Once you have cleaned up existing approvals, build better habits. Where the protocol allows it, request limited approvals instead of unlimited. Uniswap v3, for example, lets you authorize exact amounts per trade rather than granting unlimited access.

Rabby wallet shows approval risk warnings before you sign and lets you set exact approval amounts per transaction, which is worth considering as your primary DeFi interface.

Run this audit every three to six months as routine wallet hygiene.