To interact with crypto in the decentralized world, you will often be asked to connect your Metamask wallet and more. You will also often be asked to approve certain transactions/transactions (any change in the blockchain happens only through a transaction, any transaction you need to approve with your wallet, it turns out that the security of your funds in the wallet is only in your hands).
This is what we will focus on in this post. We will not consider disclosure or loss of the sid-phrase, it’s already clear, we do not show the sid-phrase to anyone and we do not store it electronically.
Let’s go. First of all about the problems
Permission type 1️⃣: Connection to the site.
The standard permission implies: viewing balance, activity, and the ability to initiate transactions. No serious consequences, only if you don’t sign a consent for more or get scammed (if you use apps from the top 5 in defi and don’t get phishing site, there will be no problems).
Approve type 2️⃣:
Approve – you give permission for a smart contract to interact with a certain amount of tokens as and when it demands them. You should always stop and think when you are asked to approve something, as this usually involves giving control of your assets to a smart contract, which could have been written by anyone
Permission Type 3️⃣:
Transaction Approval – you do a normal exchange, add liquidity, etc. When you click Swap the smart contract initiates the transaction and you confirm the exchange, then the smart contract according to a pre-defined algorithm with pre-defined parameters performs the action. The main risks will be: increased commission, slippage or buying a token that you can’t sell.
Type 4️⃣:
This type is not about permissions, but no less important, you need to follow the links carefully and not get to a phishing site.
Problem solving
Permission type 1️⃣:
Connection to the site. When prompted, the Metamask popup says what you are giving access to, read it carefully. At the top of the popup will be the site/project name you are connecting to, make sure it matches the one you originally decided to connect to. For obscure sites, use a spare Metamask wallet, which does not have your money on it, only for commission.
Resolution Type 2️⃣:
Approve. This item will be broken down into 2 blocks.
Block 1: Problem smart contract: Approve you grant the smart contract. MetaMask will show you the address of the smart contract before you sign any transaction associated with it. The number (example: 0xaee4d11a16B2bc65EDD6416Fb626EB404a6D65BD) will be written in the MetaMask pop-up box.
Enter the address into the search bar of the block browser. Each blockchain has a different one, but Ethereum-compatible blockchains have block observers with the same interface (some of them: etherscan.io bscscan.com polygonscan.com). In many, you will see whether or not the smart contract code has been verified.
You can also check to see if the contract has a name – if it doesn’t, it just might be new, or it might be a scam. You don’t need to dive too much into the browser, but you need to remember that first you copy the smart contract number, go to the browser of the desired blockchain, find the smart contract, and look at all the tabs: the wallet number of the smart contract creator, the number of transactions, which smart contracts were connected, which tokens are on the smart contract, and the Comments section, in which other users can write that the project is scam (but this does not guarantee anything).
Only after that think about transaction confirmation, without your confirmation you can not steal crypto. You can also change the number of tokens you are giving access to, do not be stingy with the commission and limit the number of tokens available to the smart contract. This is also done in the Metamax popup.
Box 2: Revoke Approve: During Approve the smart contract asks for your permission to use your tokens, and usually it takes permission to use a number with ten zeros so you don’t have to ask permission again later on, for example for every 10 Matic tokens, in order to save the user gas, it asks for 1000000000 Matic tokens at once in order not to pay commission every time.
Therein lies the big problem. For example, on Uniswap you were exchanging Usdc tokens, you gave permission for unlimited tokens, then made the exchange and left. But the permission for the Usdc tokens remains and you have these tokens on your balance, after some time Uniswap hacks and steals your Usdc because the permission was given.
How do you fight this? There are crutch solutions like revoke.cash, but this can also be done in any blockchain browser, for example on Ethereum blockchain, go to etherscan.io browser, under “More” and select “Token Approvals”. In this section, in any blockchain browser, you connect the wallet and revoke the approvals. This is the safest method, without the use of crutches and other people’s links.
Permission view 3️⃣:
During transaction confirmation and token purchase, check recent token contract activity. Copy the token contract number, go to the blockchain block browser (links can be found on the blockchain token page on coinmarketcap).
Look at recent transactions. For example, a popular scheme, sell you a token and prohibit you from selling the token in the code (for example, they write in the code that only one wallet number can sell or many conditions must be met to sell) so if you do not see any transactions selling the token, only buying, you may have encountered a fraud.
View 4️⃣:
Use Coingecko, Coinmarketcap sites to get the right links to project pages, otherwise there is a risk of being taken to a phishing site. You should also look at the token information and their social media. A little bit of your diligence will save your funds.
How do I protect myself when interacting with crypto through Metamask? Part 3.
Given that you’re giving yourself access to smart contracts, ask yourself questions before each confirmation:
– Does the decentralized application I’m interacting with need access to all my tokens?
– Is it a real or non-malicious site?
– Are you willing to pay another fee to remove permission to use the tokens?
– If you see “ApprovalForAll” in Metamask be wary, because, the smartcontract wants permission for all your tokens in your wallet!
If you’re not sure about a site, transaction, or smart contract, don’t use your main wallets, make a backup wallet with some tokens to pay the fee, and test new tools on it. Because you won’t be able to cancel a transaction or get your crypto back if you lose it. Ideally, use a separate device for your main wallet, so you don’t catch a virus as well.
And if you disconnect your wallet from the site, do you need to cancel the permission to use your tokens? Yes!!
Disconnecting your wallet from the decentralized app includes revoking permission to view your public address and your token balance and, depending on what you originally agreed to, stopping the initiation of transactions and viewing past activity.
Revoking Approve/approve/permit means that the decentralized application can no longer access and move the contents of your wallet. These are different things, disconnecting your wallet from the site and not revoking Approve/approve from you can still steal crypto.
