How to protect your Ethereum wallet

Learn how to manage your wallet permissions to protect yourself from hacks & exploits

Level up your crypto finance game five times a week. Get on the Bankless Program.


Dear Bankless Nation,

You’ve likely given dozens of DeFi apps the ability to withdraw funds from your wallet.

Guess what? They still have this ability unless you turn it off. 😱

And what happens if one of those contracts gets exploited? Or the DeFi app turns into a rug pull? Lost funds. Game over. Please insert more tokens to continue.

But with a bit of Ethereum wallet hygiene you can protect yourself.

Just go through and revoke contract access from time-to-time. And revoke permissions quicker with newer, untested applications so you don’t get UniCatted.😼 (We’ll explain)

Good dental hygiene stops cavities. Good crypto hygiene could save you a fortune.

William shows you how to revoke permissions to protect your crypto.

- RSA


🙏Sponsor: Aave—earn high yields on deposits & borrow at the best possible rate! 


We just released episode 21 of State of the Nation!

📺 Watch State of the Nation #21: POLITICAL w/ @twhirty

ELECTION DAY! Republicans, Democrats, Crypto, and YOU!

We’re now live streaming State of the Nation—join us at 2pm EST every Tuesday!


TACTICS TUESDAY

Tactic #64: How to Revoke Permissions and Protect you Ethereum Wallet

Bankless Writer: William M. Peaster, creator of the DeFi Arts Intelligencer

Accessing services from Ethereum smart contracts often involves “approving” the contracts to spend your tokens.

Yet if we approve lesser known contracts that have vulnerabilities that allow hackers to steal assets, the tokens in your wallet can be at risk. That’s why it’s important to always manage your contract permissions on Metamask.

This tactic will show you how to easily manage and revoke your ETH wallet’s permissions so you can ensure total sovereignty over your Ethereum assets and activities. 

  • Goal: Learn how to revoke ETH wallet permissions

  • Skill: Easy

  • Effort: 5 mins

  • ROI: Priceless (when it comes to protecting your tokens)


Background

Smart contract permissions, sometimes referred to as token allowances, are an aspect of Ethereum that allows smart contracts, your wallet, and your tokens to easily interoperate. This in turn helps Ethereum applications to smoothly operate as users approve tokens to plug into the Ethereum ecosystem as they please.

But it’s also important that you clean up your permissions routinely. Consider it among your best security practices as an early citizen of Bankless nation.

Because if you don’t keep on top of contract permissions, you’re potentially opening yourself up to the risk of a compromised smart contract that could steal our tokens. 

Indeed, it’s not that token allowances are a flaw of ERC-20 tokens, it’s rather that we have to be mindful not to give permission (or allow permission for longer than needed) to unproven smart contracts or ones we no longer use.

You wouldn’t hand your physical wallet to a stranger and expect great results—don’t do it with your ETH wallet either! Especially when it comes to newer projects. 

Don’t get UniCatted 😼

Last month, a new “yield farming” project called UniCats launched. Given it was hard to cut through the noise in DeFi during this time, the project ended up being malicious, and its deployer created a scheme around it involving token allowances. 

As traders arrived for the apparently novel yield opportunity, the UniCat dev reaped more and more token allowances until they finally pulled the rug and started stealing users’ tokens. 

As illustrated by researcher Alex Manuskin last month in an insightful Twitter thread on the episode, one UniCat user even lost ~$140,000 worth of Uniswap’s UNI tokens in the ploy.

It was an awful incident, so here we’ll consider it Exhibit A for why we have to stay on top of our smart contract permissions as Ethereum users.

So with that, let’s learn how to manage your wallet permissions.

How to Revoke ETH Wallet Permissions

Luckily for us, the Ethereum community has some incredible open-source contributors who routinely release amazing tools. Among these folks is AlphaWallet’s James Sangalli, who earlier this year released an open-source “ETH Allowance” tool.

We can use this solution to easily revoke token allowances, so here’s how the process works: 

1. Use Etherscan to find the contract you want to revoke.

Let’s say you recently interacted with a sketchy project like UniCat and now you want to revoke token allowances to it. Identify the project’s contract address and copy it. Using Etherscan’s “clipboard” button (as seen next to UniCat’s address below) makes this easy. 

2. Navigate to the ETH Allowance website. You’ll arrive at the page seen below.

3. Connect your ETH wallet. Per usual, we’re using the popular MetaMask browser wallet. Once you do a list of your approved smart contracts will pop up, which will look like so:

4. Use the Find feature through your browser to paste in and search for the address you want to revoke. To make things simple, I’ll simply revoke the first address depicted above, which is tied to OmiseGo’s OMG token. When I click “Revoke,” I’m prompted to send a revoke transaction, which looks like this:

5. Confirm the transaction, and you’re done! Once that transaction goes through the address you wanted to revoke will no longer have token allowance privileges to your wallet. You can rest easy at this point. 

Conclusion

Not every token allowance is a vulnerability—there are plenty of dapps who are battle-tested and proven at this point, like Uniswap, and permissions to such dapps help us make the most of them as early adopters. 

But in the decentralized ecosystem that we’re in, we can’t grant this trust to projects that aren’t yet proven or that haven’t been properly audited before. That’s why we have to take matters into our own hands by managing to our smart contract permissions regularly and weeding out token allowances that we’re no longer using or no longer trust.

We don’t know what will come next as Ethereum users, but we can prepare for the unknown in cautious and practical fashion.


Action steps:


Author Bio

William M. Peaster is a professional writer and creator of the DeFi Arts Intelligencer. He’s recently been contributing content to DeFi Pulse Farmer, defiprime, and beyond.


Go Bankless. $12 / mo. Includes archive accessInner Circle & Deals(pay w/ crypto)


🙏Thanks to our sponsor

Aave

Aave is an open-source and non-custodial protocol for money market creation. Originally launched with the Aave Market, it now supports Uniswap and TokenSet markets and enables users and developers to earn interest and leverage their assets. Aave also pioneered Flash Loans, an innovative DeFi building block for developers to build self-liquidations, collateral swaps, and more. Check it out here.


Not financial or tax advice. This newsletter is strictly educational and is not investment advice or a solicitation to buy or sell any assets or to make any financial decisions. This newsletter is not tax advice. Talk to your accountant. Do your own research.


Disclosure. From time-to-time I may add links in this newsletter to products I use. I may receive commission if you make a purchase through one of these links. I’ll always disclose when this is the case.