Growth · 2 min read
"Unlimited Approval" — The Default That Drains Wallets
💸 "Unlimited Approval" — The Default That Drains WalletsOne checkbox interaction. `type(uint256).max` approval. Permanent spending rights to a contract address your user will forget in 48 hours.This is the most dangerous dark pattern in DeFi, and it's the industry default.The technical context: ERC-20 approve() grants a spender address the right to transfer tokens on behalf of the owner. Setting the amount to MAX_UINT256 (2^256-1) effectively grants unlimited, perpetual access. The rationale—documented in countless GitHub issues and forum threads—is gas efficiency: approve once, interact forever, save on repeated approval transactions.The security math doesn't balance. Revoke.cash's public database shows $1.2B+ in losses attributable to unlimited approvals exploited through compromised protocols. The Wormhole bridge hack, the Badger DAO exploit, the Multichain incident—all leveraged existing unlimited approvals to drain wallets that had interacted with compromised or malicious contracts months or years earlier.Production-grade approval UX requires:→ Default to exact transaction amount. The gas cost difference is negligible on L2s and minimal even on mainnet. User security is not a gas optimization target.→ Translate approval scope into human terms. "$500 USDC" is comprehensible. "115792089237316195423570985008687907853269984665640564039457584007913129639935" is not. This pattern is implemented in Rainbow Wallet's approval flow and documented in their design system.→ Color-coded risk indicators. Green for exact amount, yellow for time-limited approvals, red for unlimited. This visual language is consistent with user expectations from security software.The Ethereum Foundation's security best practices explicitly recommend limited approvals. The EIP-2612 permit standard enables gasless, exact-amount approvals—there's no longer even a UX tradeoff.Every unlimited approval is a dormant attack vector waiting for its contract to be compromised.→ MayWap | Designing approval flows that protect users