How Approval Phishing Drains Wallets, and How to Stop It

Most wallet drains we investigate share a single root cause: the user signed a token approval to a malicious contract, and the attacker drained the assets weeks later.

This pattern has a name, approval phishing, and it is responsible for a large share of the value lost to crypto scams every year. The good news is that it is preventable, and the prevention does not require new technology. It requires the same discipline that made password managers normal.

How the attack works

EVM chains have a function called approve() (and its NFT cousins). When you call it, you are giving a smart contract the right to move tokens out of your wallet, up to a specified amount, until you revoke the approval.

The mechanic is foundational to DeFi. Every swap on Uniswap, every deposit into Aave, every NFT listing on OpenSea begins with an approval. Without it, the protocol could not move your tokens to do what you asked.

The exploit reuses that mechanic against you:

1. The attacker stands up a phishing site, a fake mint page, a fake airdrop claim, a "verify your wallet" prompt.
2. You connect your wallet. The site immediately requests an approval.
3. The approval looks normal in the browser pop-up.
4. You sign.
5. Hours, days, or weeks later, the attacker calls transferFrom() on the approved contract and drains your tokens.

The transaction that drains you is signed by the attacker, not by you. There is no second prompt. By the time your wallet shows the loss, the funds are already in a mixer.

Why it works

Approval phishing is effective for three reasons:

The UI hides what's happening. Most wallet pop-ups display "Approve" with a contract address and a token. The amount is often 2^256 - 1, "unlimited", but rendered as an opaque hex string. Most users do not parse the difference between "swap 0.1 ETH" and "approve unlimited USDC to 0xA1B2…".

The damage is delayed. A swap fails in the same transaction. An approval scam succeeds silently and waits for your wallet balance to be worth taking. By the time a victim notices, they have already forgotten which site they connected to.

The vector is everywhere. Every dApp connection is a potential phishing site. A compromised Discord moderator account, a sponsored Google ad, a Twitter post from a hijacked verified account, the attacker only needs one click.

NFT projects are particularly exposed because their entire community lives in Discord and on X, where account compromises are routine.

What does not work

Several common defenses are weaker than they look:

• "I only sign on official sites." Official sites are routinely cloned on near-identical domains. Bookmark and verify.
• "My hardware wallet protects me." A hardware wallet shows you what you are signing, but only if you read it. Most users press "approve" without reading.
• "I'll just be careful." Phishing sites are designed to bypass careful. The whole industry of wallet drainers is professional and well-funded.

What works

Five practices that, combined, make approval phishing very hard to land on you:

1. Separate wallets by role

Treasury, operations, dApp interaction, and personal funds should never be the same address. A drain on the dApp-interaction wallet should leave treasury untouched. We cover the architecture in detail in the Wallet Setup engagement.

For an individual: one cold wallet with the long-term holdings (hardware, never connects to dApps), one hot wallet with no more than a month of working funds, one burner with $50 for trying new mints.

2. Use transaction simulation before signing

Wallet add-ons like Pocket Universe, Tally, or built-in simulation in MetaMask and Rabby tell you what a transaction will actually do before you sign. They catch the difference between "swap" and "approve unlimited USDT to a random address."

This single habit defeats the majority of approval phishing.

3. Read what your hardware wallet shows

The display on a Ledger or Trezor is the source of truth. The dApp UI can lie; the device cannot. If the device says "Approve" and you expected "Swap", reject. Every time.

4. Revoke approvals you no longer need

Tools like Revoke.cash list every active approval on your address and let you revoke them in one click. We recommend doing this monthly. Cleared approvals cannot be exploited.

5. Use limited allowances when supported

Many wallets and dApps now support setting a specific allowance instead of unlimited. Use it. The convenience cost is a re-approval next time; the security benefit is that a future drain is bounded.

For protocols and projects

If you operate a protocol or run a project, your users are exposed to this pattern by default, and they will blame you when it happens. Three things to do:

• Publish the canonical contract addresses your users should approve, prominently. Make the comparison easy.
• Educate your community. A short post explaining approvals, with simulation tool recommendations, costs you nothing and saves users.
• Watch your project wallets. Wallet Surveillance on the official addresses gives you early warning when an attacker mass-approves through a fake mint, because their drainer contract surfaces in alerts.

When it has happened

If you discover an old approval to a malicious contract, revoke it before transferring assets in. Drainers monitor approved wallets and trigger immediately on incoming transfers.

If a drain has already happened, an Incident Response engagement focuses on tracing the funds across mixers and bridges. Recovery is possible in some cases, particularly when off-ramps cooperate, but only when the trace is started within hours, not days.

The pattern is solved. The discipline to apply the solution is not. Build the discipline once and approval phishing becomes a non-event.