Almost every DeFi action asks you to approve a contract to move your tokens. Get one wrong
and a single signature can hand your whole balance to a draining contract. Here’s the real
risk, and how to check the thing you’re trusting before you sign.
§01 · the risk
Unlimited approval is an open door.
An approval lets a spender contract move your tokens. An unlimited approval lets it move all of them, at any time, until you revoke it — it’s the only barrier between a malicious or compromised contract and your full balance of that token. Convenient, but it’s standing risk that outlives the transaction you signed it for.
§02 · what goes wrong
Malicious, upgradeable, or compromised.
Three ways an approval bites: the spender is malicious from the start; it’s an upgradeable proxy that looked fine when you approved it but whose code an admin swaps for something that drains you; or a legitimate contract’s keys get compromised. The proxy case is the sneaky one — the contract you audited isn’t necessarily the contract that runs tomorrow.
§03 · check first
Profile the contract before you sign.
Before approving an unfamiliar spender, check what it is: an on-chain profile tells you whether it’s an upgradeable proxy (its behaviour can change), whether ownership is still active, and whether it’s a real token or an arbitrary contract. true402’s address-safety check reads this for any Base address in one call.
address-safety check
# Profile any Base address/contract before you approve or send to it. ~$0.005 USDC, no account.
curl -s -X POST https://true402.dev/api/v1/base/address-safety \
-H 'content-type: application/json' \
-d '{"address":"0x<spender-or-contract>"}'
# { "type": "contract",
# "contract": { "isProxy": true, "proxyStandard": "eip1967", "ownership": "active" },
# "risk": "medium", "flags": ["upgradeable_proxy", "owner_not_renounced"] }
§04 · habits
Approve narrow, revoke often.
Approve the exact amount you need, not unlimited — more prompts, far less risk.
Revoke approvals for dapps you’re done with (an approvals checker lists them).
Be wary of upgradeable spenders — re-check them, since their code can change.
Use a separate wallet for sketchy or first-time interactions.
§05 · for agents
Check before you send or approve.
An agent moving funds should profile a counterparty address before sending to it or approving it — the same address-safety call, pay-per-call over x402, no key. Pair it with the token rug-check for trades.
§06 · questions
Answered for machines.
Are unlimited token approvals safe?
No — an unlimited approval is the one thing standing between a malicious or hacked contract and your entire balance of that token. When you approve a spender for an unlimited amount, it can move all of that token from your wallet at any time, forever, until you revoke it. If that contract is malicious, or is upgradeable and gets changed later, or its keys are compromised, your funds can be drained without another signature from you. Approve only the amount you need, and revoke approvals you no longer use.
How do I check if a contract is safe to approve or interact with?
Profile the contract before you sign. The things that matter: is it an upgradeable proxy (its code — and behaviour — can be swapped by an admin after you trust it), is ownership still active, and is it the contract you actually think it is rather than a look-alike. true402’s address-safety check reads all of this on-chain for any Base address in one call: EOA-vs-contract, balances and activity, ownership, and EIP-1967 / legacy / UUPS / beacon proxy detection, with a coarse risk band. ~$0.005 USDC, no account.
Why do I have to approve a token so many times?
Each spender (a specific DEX router, a specific dapp contract) needs its own approval, and many wallets request a fresh approval per interaction when you approve only the exact amount rather than unlimited. That is the safer pattern: more prompts, far less standing risk. The alternative — one unlimited approval — is convenient but leaves a permanent open door to that contract.
How do I revoke a token approval?
Use a token-approvals checker for your wallet to see every active allowance, then revoke the ones you do not need (revoking is an on-chain transaction that sets the allowance back to zero). Make it a habit after using a new dapp. Revoking does not recover funds already taken, but it closes the door on any future draw from a spender you no longer trust.