Each time anyone tries to use a new decentralized application (DApp) on Binance Smart Chain, you need to give this DApp an allowance for it to spend your tokens on your behalf. If you’re a veteran DeFi user you’ve probably done this workflow a thousand times.
In comparison, this process is somewhat similar to when you authorize your utility provider to set up a direct debit allowing it to charge your electricity bill from your bank account on a monthly basis. However, if a malicious DApp receives a wallet address owner's approval to spend their tokens, there is no doubt that all funds will be stolen. Once a transaction is sent on the blockchain it is irreversible.
What is a token allowance and how does it work?
The BEP20 token contract has an approved method. Any dApp that you want to use needs access to yourBEP20 token in order to do something on your behalf. If you want to deposit BUSD in PancakeSwap for example, you need to first give the smart contract powering the PancakeSwap DApp access to your BUSD before you can deposit it in a second transaction. Most DApp ask for an unlimited number by default for simplifying the UX and minimizing the amount of transactions users have to make to use the application.
How to protect yourself?
The good news is that you can protect yourself against these kinds of threats by withdrawing the approvals.
How to revoke access to your tokens manually
Go and visit: https://bscscan.com/tokenapprovalchecker
Input your address
Connect MetaMask with BscScan
Confirm to revoke approval
You can also check out this Knowledge Base article.
Token allowances represent a huge security risk. It is clear that progress needs to be made in this area if we want to improve the user experience and security in the crypto space. With this feature rolled out, we hope the community can keep better track of token approvals and collectively reduce our funds lost to phishing!