How to revoke token approvals and close wallet risk
Reviewed 2026-06-25
Answer: Token approvals let contracts spend your tokens, and they never expire on their own. To stay safe, review every active approval and revoke the ones you no longer use — especially unlimited approvals granted to unknown or inactive contracts.
Who this is for
DeFi users interact with many contracts, and each connection leaves an approval that never expires on its own. Over time those approvals accumulate into a large attack surface. This page covers the checks experienced DeFi users run to keep their exposure under control.
The problem
Every protocol you ever connected to can still move your tokens. Right now. Old approvals do not expire by themselves, and most wallets do not show you how many you have accumulated.
Most people only check after something goes wrong. A scan takes under a minute and surfaces the specific flags that matter — before you commit to any action.
Warning signs to watch for
- Unlimited approval amount (max uint256) to any contract
- Approval to an unverified or inactive contract
- Approvals to protocols you used once and never returned to
- A large number of approvals you do not recognize in your history
Any one of these is a reason to check before acting. Several at once is a reason to stop entirely.
How to protect yourself
List every contract that holds a spending approval on your wallet, then revoke the ones you no longer use or do not recognize. Revoking is a standard transaction — it costs a small amount of gas and closes the exposure permanently.
- Open https://app.web3defender.tech and select the approvals scanner.
- Enter the address, token contract, or URL you want to check.
- Read the risk score and the specific flags returned.
- Revoke any approvals flagged as risky — revoke is a standard transaction.
- Re-scan after any new protocol connection or airdrop claim.
What the scanner checks
The approvals scanner runs against on-chain data and returns a 0–100 risk score with the specific flags that contributed to it. No off-chain assertions are trusted. No transaction is sent during a scan — it is entirely read-only.
For individuals, the free check covers the most common threats. For teams and funds, batch API access is available with structured output for compliance workflows and audit logs.
General habits that compound the protection
- Check before connecting — not after. A scan takes less time than it takes to regret skipping it.
- Revoke approvals to contracts you no longer use. Unlimited approvals that sit idle are the most common attack surface in DeFi.
- Open dApps from bookmarks or by typing the URL yourself — never from links in DMs, emails, or ads. The URL is the single most reliable signal you control.
- Treat urgency as a signal to slow down. Every social-engineering attempt creates false time pressure. If something feels rushed, that feeling is the warning sign.
- Verify independently. Legitimate services never DM you first or ask you to sign anything outside the official app.
Frequently asked questions
Do old token approvals ever expire automatically?
Only if the contract or token standard includes an expiry — most do not. Standard ERC-20 approvals are indefinite. Revoke approvals to any contract you no longer use.
Is revoking an approval free?
Revoking is a standard on-chain transaction and costs a small amount of gas. The cost is typically under a dollar on mainnet and much less on L2 chains.
Which approvals carry the highest risk?
Unlimited approvals (max uint256) to unverified or inactive contracts carry the most risk. Also watch for approvals to bridges or aggregators you used once and never returned to.
Is the scanner free to use?
Yes. A free check is available at https://app.web3defender.tech. No account is required for individual checks.
How long does a scan take?
Most scans complete in under fifteen seconds. Results include a risk score and the specific flags that contributed to it.