MetaMask Token Approvals: What You're Actually Agreeing To
Most people click Approve without reading it. Here's what's really happening โ and why it matters more than you think.
You're trying to swap some USDC on Uniswap. Before the actual trade, MetaMask pops up asking you to "Approve USDC." You click Approve because that's just what you do. The swap goes through. No problem.
What you probably didn't notice is that you just gave Uniswap's smart contract permission to spend all of your USDC โ an unlimited amount โ forever. Until you manually revoke it.
That's how token approvals work. And it's one of the biggest sources of crypto losses that nobody talks about.
Why approvals exist in the first place
On Ethereum and other EVM chains, smart contracts can't just reach into your wallet and take tokens. They need your explicit permission first. That permission is called an "approval" or "allowance."
When you trade on a DEX like Uniswap, Curve, or 1inch, the protocol needs to pull tokens from your wallet during the swap. So before the first trade, you sign an approval transaction to grant that access. It's a necessary part of how DeFi works.
The problem isn't the approval itself. The problem is the default amount: usually the maximum possible number. Developers set it that way to avoid you having to re-approve every single time. Convenient, but risky.
What "unlimited approval" actually means for you
An unlimited approval doesn't mean the contract will immediately drain your wallet. It means it could โ if it wanted to, or if an attacker found a way to exploit it.
This has happened to real protocols. In 2022, the BadgerDAO hack drained roughly $120 million from users because attackers managed to create fraudulent token approvals. The users had approved legitimate-looking contracts โ they just didn't know those approvals could be turned against them.
For a well-audited protocol like Uniswap v3, an unlimited approval is a manageable risk most people are comfortable taking. For a random new DeFi protocol you found on Twitter? That's a very different calculation.
How to see which approvals you have active
Go to revoke.cash and connect your wallet. You'll see every token approval you've ever signed, sorted by protocol. Most people are surprised by how many there are โ approvals from protocols they used once, months ago, still sitting there with unlimited access.
Revoking an approval costs a small amount of gas (usually a dollar or less on Base or Polygon). It's worth doing a cleanup every few months, especially for protocols you no longer use.
Safer habits going forward
You don't have to be paranoid. But a few small habits make a real difference:
- โWhen you see an approval request, read it. Is it for a protocol you recognize? Is the amount unlimited?
- โIf you're using a new protocol for the first time, consider approving only the amount you need for that specific transaction.
- โRevoke approvals from protocols you no longer use. It takes five minutes and removes real risk.
- โIf a site you've never heard of is asking for a token approval, that's a red flag โ not a reason to click Approve faster.
Frequently asked questions
What does approving a token in MetaMask actually mean?
It gives a smart contract permission to move your tokens on your behalf. The dangerous part: most approvals are for unlimited amounts by default.
How do I revoke a token approval?
Go to revoke.cash, connect your wallet, and you'll see every active approval. Each revocation is a small on-chain transaction that costs a little gas.
Are unlimited token approvals safe?
For trusted, audited protocols โ manageable risk. For unknown contracts โ no. An unlimited approval means an attacker who exploits that contract can drain your entire token balance.
See exactly what you're approving before you click
TxnGuide reads every MetaMask approval request and explains it in plain English โ the contract name, what access it's requesting, and whether the amount is unlimited. Free Chrome extension.
Get TxnGuide โ It's Free