Wallet Security ยท Drainer Attacks ยท DeFi

What Is a Crypto Wallet Drainer and How Do They Work

Wallet drainers don't need your seed phrase or your password. They need one signature โ€” and they're engineered to get it.

You click a link in a Discord server. The site looks like the NFT mint you've been waiting for. You connect your wallet, click the mint button, and MetaMask pops up asking you to approve a transaction. It looks normal โ€” an approval, like the ones you've seen before. You click Confirm.

Within seconds, every token in your wallet is gone. You just used a wallet drainer โ€” a smart contract built specifically to empty wallets the moment it gets approval.

The mechanics: how a drainer actually drains

Token approvals are a legitimate part of DeFi โ€” you approve Uniswap to move your tokens during a swap, for example. Drainers exploit this same system.

The attack flow looks like this:

  • 1.You visit a phishing site โ€” a fake mint, a fake airdrop claim, a compromised project link
  • 2.The site asks you to connect your wallet โ€” standard behavior, not suspicious yet
  • 3.A transaction pops up requesting approval for a contract address you don't recognize
  • 4.The approval amount is set to the maximum possible โ€” all of your tokens, not just what the site needs
  • 5.Once you confirm, the drainer contract immediately calls transferFrom() to sweep your balance
  • 6.The transaction completes in the same block โ€” by the time you see it on Etherscan, it's done

The variants you need to know about

Basic ERC-20 drainers are the most common, but the ecosystem has expanded:

  • โ€ขNFT drainers โ€” use setApprovalForAll to take your entire NFT collection in one transaction, then sell or move it
  • โ€ขPermit signature drainers โ€” exploit EIP-2612's off-chain signing to get approval without an on-chain transaction first. You sign what looks like a harmless message, not a transaction
  • โ€ขSeaport order drainers โ€” craft a valid OpenSea-compatible order that trades your valuable NFTs for nothing
  • โ€ขMulti-token drainers โ€” scan your wallet first, then construct a single transaction that drains all approved tokens at once

What the transaction looks like before you sign

The warning signs are in the approval details โ€” but only if you look:

  • โ€ขThe spender address is a contract you've never interacted with before
  • โ€ขThe approved amount is set to the maximum uint256 value (looks like a huge number)
  • โ€ขThe transaction has no apparent purpose โ€” you're "approving" without a corresponding action
  • โ€ขPaste the spender address into Etherscan โ€” drainer contracts often have no verified source code and show multiple victim wallets in their transaction history

What actually prevents drainer attacks

  • โœ“Read every approval before signing โ€” the spender address, the amount, and whether you know what this contract does
  • โœ“Never click links in Discord, Twitter DMs, or Telegram to reach a site you want to transact on โ€” type the URL directly
  • โœ“Check that the site URL matches exactly what you expect โ€” one character off is a phishing site
  • โœ“Approve limited amounts instead of unlimited when protocols allow it
  • โœ“Maintain a separate "hot" wallet for DeFi with only what you're actively using โ€” not your main holdings

Frequently asked questions

How does a wallet drainer work?

It gets you to sign an approval for a malicious contract, then immediately uses that approval to sweep your tokens. The entire drain happens in one block โ€” no second chance to stop it.

Can a wallet drainer steal ETH directly?

Not through approvals โ€” those only work on tokens. To steal ETH, drainers need you to sign a transaction that sends it, or they use Permit2 signatures with ETH sweeping. Native ETH requires a different attack path.

What should I do if my wallet was drained?

Immediately revoke all approvals from a clean device, move any remaining funds to a new wallet, and don't reuse the compromised address. The drainer contract still has approval until you revoke it.

Read approvals before you sign them

GuardianAI intercepts every MetaMask approval and explains in plain English who's asking, what they're getting access to, and whether the amount looks suspicious. Free Chrome extension.

Get GuardianAI โ€” It's Free