NFT Security ยท Token Approvals ยท Smart Contracts

setApprovalForAll: The NFT Permission That Can Empty Your Entire Wallet

You click "List NFT for sale." MetaMask pops up with an approval request. You hit confirm. The sale goes through fine โ€” but so does the hidden permission you just granted. Here's what that signature actually means.

Most NFT collectors have signed dozens of these without thinking about it. The MetaMask prompt says "Set Approval For All" in small text, you hit Confirm because you want to list your NFT, and the process works. But the permission you've granted goes far beyond that one listing.

If the contract address you approved is malicious โ€” either because you were on a fake marketplace site, or because a legitimate site's front-end was compromised โ€” the operator can transfer every NFT you own in that collection at any time, without any further input from you.

What setApprovalForAll actually does

It's a function in the ERC-721 and ERC-1155 token standards. When you call it, you're telling the smart contract: "I authorize this address to transfer any token I own in this collection, on my behalf, without needing my signature each time."

That's the design. OpenSea's Seaport contract (0x00000000000000ADc04C56Bf30aC9d3c0aAF14dC) needs this permission so that when someone buys your NFT, OpenSea can transfer it to the buyer without you having to sign another transaction at the moment of sale. It's a legitimate UX requirement.

The approval is permanent until you revoke it. It doesn't expire when the sale completes. It doesn't expire when you stop using the marketplace. It stays active indefinitely.

When it becomes a drain

Fake NFT minting sites are the most common trap. A project announces a mint through Discord. You click a link. The site looks real โ€” same fonts, same collection art, same "Connect Wallet" button. When you try to mint, MetaMask asks you to sign setApprovalForAll.

The operator address in that approval isn't OpenSea. It's a contract the scammer controls. The moment you sign, they can sweep every NFT in your connected collection. The attack usually executes within seconds.

Compromised Discord servers and Twitter accounts belonging to real projects have been used to push these links. The announcement looks official because it comes from the project's real account โ€” which someone just hacked.

How to read the approval request before signing

When MetaMask shows a setApprovalForAll request, expand the details. The critical field is the operator address โ€” the contract you're granting permission to. Compare it against the known contract for whichever marketplace you believe you're on:

  • โ€ขOpenSea (Seaport): 0x00000000000000ADc04C56Bf30aC9d3c0aAF14dC
  • โ€ขBlur: 0x00000000000111AbE46ff893f3B2fdF1F759a8A8
  • โ€ขLooksRare: 0x59728544B08AB483533076417FbBB2fD0B17CE3C
  • โ€ขX2Y2: 0xF849de01B080aDC3A814022dE1480a72d0d7F0dB

If the operator address doesn't match one of these known contracts, reject the transaction and close the tab immediately.

Checking and revoking existing approvals

Go to revoke.cash, connect your wallet, and click the NFT tab. You'll see every setApprovalForAll approval you've ever signed โ€” the collection, the operator address, and when you approved it.

Revoke anything from a contract you don't recognize, or from a marketplace you no longer use. Each revocation costs a small amount of gas but removes a standing permission from your wallet permanently.

More on managing approvals in our guide to revoking token approvals. For the NFT phishing angle specifically, see NFT phishing on OpenSea.

Frequently asked questions

Is setApprovalForAll always dangerous?

No โ€” every major NFT marketplace uses it legitimately. The risk is signing it for an unknown or malicious operator address, not the function itself.

How do I revoke a setApprovalForAll?

Connect your wallet at revoke.cash, go to the NFT approvals tab, and click Revoke next to any approval you no longer need. It costs a small amount of gas.

Can GuardianAI warn me before I sign setApprovalForAll?

Yes. GuardianAI identifies this transaction type and shows you what permission you're granting and to which contract โ€” in plain English โ€” before you confirm.

Know what you're signing before you sign it

GuardianAI reads every approval request โ€” including setApprovalForAll โ€” and tells you in plain English what permission you're granting and to which contract address. Free Chrome extension.

Get GuardianAI โ€” It's Free