Risk attached with approve transaction on DAPP and DEX like uniswap

[boss1dg]

On uniswap as you all know, we need to approve tokens first then only we can swap those. Which also means uniswap smart contract can call that token anytime from our wallet however it is not centralized and codes are public so we trust it. But what if tomorrow there is some bug found and someone exploit it to call those tokens from our address? Because at time of approve normally we approve unlimited quantity of that token for repeated trades. recently i had to change approval and made it 0 through uniswap contract just because of such thing i heard.

What is your opinion? Should we truly approve infinite number of token for trade or only the amount we are going to swap?

refrence -

"When approving your tokens for the first time on a DApp, many exchanges automatically approve a nearly infinite amount of tokens so that you only have to approve once. This can be convenient and reduce the amount of funds that you spend on transaction costs. However, having a nearly infinite number of tokens approved means all of that token in your wallet is available to be transferred by the smartcontract."

"if there is a bug in the smartcontract that results in unauthorized transference, then your wallet would be in considerable risk of being completely wiped out. By approving more tokens than you will ever have in your wallet, you are sacrificing security for convenience."

https://medium.com/ethex-market/erc20-approve-allow-explained-88d6de921ce9

[Lorokan]

I think it doesn't matter which decentralized exchange you used; be it forkdelta, etherdelta, uniswap or idex. You should not have any reasons to be a risk if you understand the whole process. Firstly; if you are a newbie using dex, you must use metamask and ethgasstation very well. Metamask to ensure that you are able to choose the most adequate transaction fees, and ethgasstation to ensure you use the fastest gwei at that moment.

Still, you need to ensure you have enough etherum in your wallet to cover the transactions. Always do your own research and always practice; because practice makes perfect.

[djmixen]

On uniswap as you all know, we need to approve tokens first then only we can swap those. Which also means uniswap smart contract can call that token anytime from our wallet however it is not centralized and codes are public so we trust it. But what if tomorrow there is some bug found and someone exploit it to call those tokens from our address? Because at time of approve normally we approve unlimited quantity of that token for repeated trades. recently i had to change approval and made it 0 through uniswap contract just because of such thing i heard.

What is your opinion? Should we truly approve infinite number of token for trade or only the amount we are going to swap?

refrence -

"When approving your tokens for the first time on a DApp, many exchanges automatically approve a nearly infinite amount of tokens so that you only have to approve once. This can be convenient and reduce the amount of funds that you spend on transaction costs. However, having a nearly infinite number of tokens approved means all of that token in your wallet is available to be transferred by the smartcontract."

"if there is a bug in the smartcontract that results in unauthorized transference, then your wallet would be in considerable risk of being completely wiped out. By approving more tokens than you will ever have in your wallet, you are sacrificing security for convenience."

https://medium.com/ethex-market/erc20-approve-allow-explained-88d6de921ce9

In your question for sure, many of the members here now are praying not to happen that case like what you had stated here on this topic.
Even that happens we do nothing about it, and the things we can do is to wait and see. This is the real thing or real talk.  

[boss1dg]

I think it doesn't matter which decentralized exchange you used; be it forkdelta, etherdelta, uniswap or idex. You should not have any reasons to be a risk if you understand the whole process. Firstly; if you are a newbie using dex, you must use metamask and ethgasstation very well. Metamask to ensure that you are able to choose the most adequate transaction fees, and ethgasstation to ensure you use the fastest gwei at that moment.

Still, you need to ensure you have enough etherum in your wallet to cover the transactions. Always do your own research and always practice; because practice makes perfect.

Well my question is not related to gas fee or gas limit or security of ether wallet. You did not even understand my query, it is related to approval transaction on dapp for any erc20 tokens. Whether you use metamask or any other wallet even ledger, sending approval txn is must for swapping tokens.

[btc_angela]

I agree with the blog posts, and we have seen this already and the only way to prevent this is at least some third party to review the code itself, before it will finally release as there could be exploits and bugs in the Dapps that the developers themselves didn't find despite testing it on their end. So we need to be very careful specially that there are a lot of uniswap smart contract popping up.

[Anarchy101]

The question is will some hacker in the future be able to call for a swap without the private keys of the victim? Because AFAIK unless there's a metamask of our account attached we won't be able to call up for a trade.

Am I wrong?

[akram143]

Always make sure you approve the limited supply which needs to be changed from the default option which is unlimited.Yes there can be bugs but for now there is nothing so people are not having any issues until they face some.

[leea-1334]

You are right of course and this is the risk of using a smart contract that you do not understand. Which is why I do not use all these swap coins,,, and even after smart contract audit (which you also have to trust is legit by the way),,, if you do not understand all the functions yourself, you should not use it with all your funds.

[Novatech8]

On uniswap as you all know, we need to approve tokens first then only we can swap those. Which also means uniswap smart contract can call that token anytime from our wallet however it is not centralized and codes are public so we trust it. But what if tomorrow there is some bug found and someone exploit it to call those tokens from our address? Because at time of approve normally we approve unlimited quantity of that token for repeated trades. recently i had to change approval and made it 0 through uniswap contract just because of such thing i heard.

What is your opinion? Should we truly approve infinite number of token for trade or only the amount we are going to swap?

refrence -

"When approving your tokens for the first time on a DApp, many exchanges automatically approve a nearly infinite amount of tokens so that you only have to approve once. This can be convenient and reduce the amount of funds that you spend on transaction costs. However, having a nearly infinite number of tokens approved means all of that token in your wallet is available to be transferred by the smartcontract."

"if there is a bug in the smartcontract that results in unauthorized transference, then your wallet would be in considerable risk of being completely wiped out. By approving more tokens than you will ever have in your wallet, you are sacrificing security for convenience."

https://medium.com/ethex-market/erc20-approve-allow-explained-88d6de921ce9

Take it or leave it, dex have bugs too, there was few dex hack in the past as I can tell, use google to find answers and correct me if I'm a wrong but dex is way better than centralized in terms of privacy and security, what I don't get it the term decentralized in crypto space, are all dex exchanges not controlled by people? So how is this a definition of decentralization?

[Princejebs]

On uniswap as you all know, we need to approve tokens first then only we can swap those. Which also means uniswap smart contract can call that token anytime from our wallet however it is not centralized and codes are public so we trust it. But what if tomorrow there is some bug found and someone exploit it to call those tokens from our address? Because at time of approve normally we approve unlimited quantity of that token for repeated trades. recently i had to change approval and made it 0 through uniswap contract just because of such thing i heard.

What is your opinion? Should we truly approve infinite number of token for trade or only the amount we are going to swap?

refrence -

"When approving your tokens for the first time on a DApp, many exchanges automatically approve a nearly infinite amount of tokens so that you only have to approve once. This can be convenient and reduce the amount of funds that you spend on transaction costs. However, having a nearly infinite number of tokens approved means all of that token in your wallet is available to be transferred by the smartcontract."

"if there is a bug in the smartcontract that results in unauthorized transference, then your wallet would be in considerable risk of being completely wiped out. By approving more tokens than you will ever have in your wallet, you are sacrificing security for convenience."

https://medium.com/ethex-market/erc20-approve-allow-explained-88d6de921ce9

The correlation between DApps, DEX and bug exploitation cannot be separated, including the centralized exchanges, this computer codes are written by human, hence its prone to bugs and human errors, that's why this smart contract are sometimes audit by third parties.
These audit companies try their best to go over smart contract, however, hackers are smart and knowledgeable individuals who used their power the inverse way to exploit the masses / target individuals, they always find a loop hole in a working system.
Coming to UniSwap, there are terms and conditions associated with decentralized exchanges which is of course riskier when interacting with their interface, if you dnt feel safe, port back to centralized exchange. Dnt forget, cex comes with risk as well.

[casperBGD]

from my point of view, you should approve only what you are planning to spend in the liquidity pool, no more than that, or a little more, certainly not unlimited amount

other precaution is to use different wallet for liquidity pool and put only money that you plan to use in LP on this wallet, and withdraw all money from that wallet, after you remove it from liquidity pool, it is a very risky and uncertain market, and people should proceed with caution

[Gibreil]

In any forms of transaction or trading, there is always a risk. We have to remind that earning of money in passive income is not easy. We can lose or we can win depending upon on how we deal in risk. Uniswap is a good exchange which a lot of liquidity. However, I think it is not well regulated because there are many coins existed that pump and dump much. Now, it is upon the people who can use the market volatility. We can try to invest and risk our funds or just save it. But if you don`t risk you wouldn`t know how you will win.

[Google+]

Always make sure you approve the limited supply which needs to be changed from the default option which is unlimited.Yes there can be bugs but for now there is nothing so people are not having any issues until they face some.

well, maybe someday someone will be affected by that bug but fortunately it's still safe, because indeed such exchange technology has a very high risk because it directly uses a wallet to access the exchange.

[bartolo]

The question is will some hacker in the future be able to call for a swap without the private keys of the victim? Because AFAIK unless there's a metamask of our account attached we won't be able to call up for a trade.

Am I wrong?

What happened weeks before and the reason why this topic was created, I guess, is that someone put a large amount of tokens in a new and unknown yield farming site and lost it all because the dev had introduced a backdoor in the code so he was able to claim those tokens even after the user withdrew them from the site. In theory, without that backdoor that was introduced in the first place in the smart contract, he couldn't have stolen those tokens. Anyway, I think there are tools out there to revoke access to your wallet.

[Anarchy101]

The question is will some hacker in the future be able to call for a swap without the private keys of the victim? Because AFAIK unless there's a metamask of our account attached we won't be able to call up for a trade.

Am I wrong?

What happened weeks before and the reason why this topic was created, I guess, is that someone put a large amount of tokens in a new and unknown yield farming site and lost it all because the dev had introduced a backdoor in the code so he was able to claim those tokens even after the user withdrew them from the site. In theory, without that backdoor that was introduced in the first place in the smart contract, he couldn't have stolen those tokens. Anyway, I think there are tools out there to revoke access to your wallet.

Whoa!! this is the first time I am hearing something about that, a backdoor to drain users fund? Mind if I ask which project are you talking about?

It's because of a situation like this we should never trust an unaudited contract.

[Ucy]

Interesting. Sounds risky.

Which also means uniswap smart contract can call that token anytime from our wallet however it is not centralized and codes are public so we trust it.

Things could even be changed in new software without users realizing.

I guess the unlimited is mainly  for regular traders on exchanges with the feature. I would probably choose "approve" if I don't trade regularly... or use "unlimited/limited" as regular trader, but with feature to have a limit or minimum amount that can be withdrawn from my wallet at a particular time, and get alerted for anything higher than the minimum or when the limit is crossed. I could then approve it manually. The minimum could be in fiat value due to differences in tokens/coins prices.

[boss1dg]

Our wallet address needs to be connected to the exchange in order to make transactions and that requires our approval, I don't think you need to worry too much because our wallets are not always automatically connected

When you do trade on uniswap it sends 2 txn, 1 for approval and another for swap EXCEPT if we swap ether because ether need not approval thus it is safe as it need one txn only. Metamask connected or disconnected, it has no role after sending approval txn.

The question is will some hacker in the future be able to call for a swap without the private keys of the victim? Because AFAIK unless there's a metamask of our account attached we won't be able to call up for a trade.

Am I wrong?

private keys give access to wallet for doing txn, but in this case you already approved the uniswap contract to withdraw usdt or any other tokens from your wallet and that too infinite number of that token. so once we approve it on any smart contract, that smart contract can use that much approved amount to withdraw. However for swap we need to make another transaction but for withdrawal, approval txn is enough. Please read the article i shared.

[boss1dg]

from my point of view, you should approve only what you are planning to spend in the liquidity pool, no more than that, or a little more, certainly not unlimited amount

other precaution is to use different wallet for liquidity pool and put only money that you plan to use in LP on this wallet, and withdraw all money from that wallet, after you remove it from liquidity pool, it is a very risky and uncertain market, and people should proceed with caution

Yes that option i already have mentioned in my post. But on uniswap it approve infinite number of token, we do not have option to enter it manually. You need to do it through smart contract on etherscan which is risky and complicated for most of people as process need knowledge.

Also i am looking for any other option we have? is there any way to swap without approval like etherdelta? why it need approval, cant they have option to swap it without approval?

Uniswap might be safe but this trend is risky as we need to trust the smart contract everytime we will approve our tokens for any other contract.

Lets see in V3 hope such issues will be taken care of.

[boss1dg]

Our wallet address needs to be connected to the exchange in order to make transactions and that requires our approval, I don't think you need to worry too much because our wallets are not always automatically connected

When you do trade on uniswap it sends 2 txn, 1 for approval and another for swap EXCEPT if we swap ether because ether need not approval thus it is safe as it need one txn only. Metamask connected or disconnected, it has no role after sending approval txn.

yes you say, but it needs to be emphasized that the agreement is not a swap agreement, not a transfer agreement at will without us agreeing to it, it still needs a second agreement to be done, and when we close the browser, the connection will automatically be lost?

You are right it is not swap txn where we chose what we need in return in exchange of usdt.
But it is withdrawal approval txn where we allow that address to withdraw that much token from our wallet. What we assume is it execute only if we send swap txn but no. Approval itself means that contract can withdraw that much usdt. In normal case we allow it via 2nd txn but in case of bug or hack, hacker would not send tokens in return, they just withdraw usdt. read article.

[yangongear]

This scam is appearing recently with the Defi hype trend. So I only trust some DEX exchanges like Uniswap, and always have to double-check what that contract requires before signing the confirmation.