The drain that needs no exploit

Most wallets aren’t emptied by some exotic smart-contract hack. They’re emptied because the owner signed a permission — usually on a convincing phishing site — and a drainer used that permission to move the tokens out minutes later. No private key stolen, no zero-day. Just an approval the victim granted and forgot. This is the single most common way ordinary holders lose funds, and the defense is boring, free, and entirely in your control.

This pairs with our defense checklist and the incidents in our Crypto Hack Tracker.

What a token approval actually is

To let a dApp (a DEX, a lending protocol, an NFT marketplace) move your ERC-20 tokens, you grant it an allowance — an on-chain permission to spend up to some amount of a specific token from your wallet. That’s normal and necessary; it’s how DeFi works.

The trap is the “unlimited” (infinite) approval. To save you from re-approving on every trade, most dApps request permission to spend as many tokens as you hold — now and forever. Convenient, and also a standing key to your tokens that never expires. If the contract you approved is malicious, or is later compromised, or you signed it on a phishing clone, that allowance is all an attacker needs.

Why old approvals are a liability

Approvals don’t disappear when you stop using a dApp or disconnect your wallet — disconnecting is not revoking. The allowance sits on-chain indefinitely. Over a year of DeFi use, a typical wallet accumulates dozens of live approvals, many of them unlimited, to contracts the owner barely remembers. Each one is attack surface. The fix is to treat approvals like passwords: review them, and revoke the ones you don’t need.

How to check and revoke

  • Revoke.cash is the most-used tool, covering 100+ networks. Enter your address (or connect your wallet), and it lists every active approval. Sort newest-to-oldest if you suspect you just signed something malicious, and pay special attention to anything marked unlimited. Revoking sends an on-chain transaction (you’ll pay a small gas fee in the network’s native token) that sets the allowance back to zero.
  • Etherscan’s Token Approval Checker (and the equivalent on other explorers) does the same from the block explorer side.
  • MetaMask and other modern wallets now surface and let you revoke allowances natively.

One critical caution: phishing clones of Revoke.cash exist. Bookmark the real site and use the bookmark — never reach a “revoke” tool through a search ad or a link someone DMs you.

If you think you’re already compromised

Move fast — the window is short:

  1. Disconnect your wallet from all dApps.
  2. Revoke every approval via Revoke.cash or the Etherscan checker, prioritizing unlimited ones.
  3. Move remaining funds to a fresh wallet (a brand-new seed phrase the attacker has never seen).

Be clear-eyed about the limit: revoking does not recover already-stolen funds and does not reverse transactions. It stops further draining and closes the door. For where stolen funds go next, see How Stolen Crypto Gets Traced.

Habits that keep you safe

  • Prefer limited approvals over unlimited when a wallet offers the choice — approve only what the transaction needs.
  • Revoke periodically. A monthly sweep of Revoke.cash clears the junk you’ve accumulated.
  • Use a separate “hot” wallet for dApp interactions, holding only what you’re actively using; keep savings in a hardware wallet that never touches random dApps.
  • Verify every signature request. If a site asks you to approve a token you’re not trading, or requests an allowance that doesn’t match what you’re doing, stop.
  • Bookmark the tools you trust. Most drains start with a lookalike URL.

The uncomfortable truth is that the most expensive mistakes in crypto are usually a single careless click on “Approve.” The good news is the antidote costs a few minutes and a little gas.

Informational only — not financial or security advice.