While web3 and DeFi give people more control over their assets, users have more responsibility over the actions they choose to take. Part of that responsibility is understanding how various processes work and what exactly is happening when you interact with DeFi protocols.

DeFi is built on smart contracts. Users interact with smart contracts by giving the smart contract access to all or part of the contents of their wallet through a process called “Token Approval.”

After token approval is given, the smart contract has your permission to access the contents of your wallet up to a defined limit, though typically unlimited. As long as the approval remains active, the link between your wallet and the smart contract is active.

Keeping token approvals active can save time and transaction costs in the future but they can also leave your wallet vulnerable to potential attackers. Let’s look at two examples of exploits where token approvals were targeted.

OpenSea Listing Exploit

Background

NFTs, or non-fungible tokens, have become increasingly popular over the past 18 months. With more and more money coming into the NFT space, scams and bad actors have followed. NFTs listed on OpenSea, the most popular NFT Marketplace, have been particularly targeted. It is important for anyone participating in the space to understand exploits that have happened in the past so that they can protect themselves in the future.

In January 2022, there was an exploit targeting NFTs listed on OpenSea. The attackers were able to purchase NFTs from collections such as Bored Ape Yacht Club, Mutant Ape Yacht Club, Cool Cats, and Cyberkongz for well below market value. They then sold the NFTs at market price to pocket the difference.

Over $1.1 million worth of NFTs were stolen in total. After selling the NFTs, the ETH was sent through Tornado Cash to anonymize the funds. Tornado Cash is a service where users deposit ETH into a pool and withdraw from a different wallet at a later time. This method makes it more difficult to track the transactions on the public ledger.

How did the exploit happen?

Listing an NFT for sale on OpenSea requires interacting with the blockchain and you have to pay gas every time you interact with the blockchain. OpenSea users were reluctant to pay the fees associated with delisting an NFT for sale. To bypass the delisting process, they transferred their NFT to a different wallet they controlled. Since the original wallet no longer held the NFT that had previously been listed for sale, the listing was no longer active. This was a simple solution to the issue of paying unnecessary Ethereum gas fees, which could be over $1000 per transaction depending on network congestion.

The vulnerability occurred when the NFTs were transferred back to the original wallet that had previously listed the NFT for sale. Only this time, the NFTs were worth much more than they were previously.

The exploiters were able to take advantage of the listing created previously when the NFTs were worth much less. The contract was still active on the blockchain even though it did not appear active on OpenSea.

How can this be avoided in the future?

It is important to understand what permissions have been approved to access your wallet. Interacting with the blockchain requires giving a smart contract permission to access some or all of the contents of your wallet. Once approved, the permissions are typically active forever.

The easiest solution is to check the current permissions in your wallet and revoke any permissions that do not need to be active. If you are regularly trading an asset, it may make sense to leave it approved. Most of the time, if you plan on holding something indefinitely, it is safer to revoke permissions until you need to interact with the smart contract later..

Another option is to hold long term assets in cold storage, i.e. a hardware wallet not connected to the internet. Popular hardware wallets include Ledger and SafePal. If you choose to store your assets in a hardware wallet, it is vital to purchase it directly from the manufacturer because wallets sold through third parties may be compromised, leaving your assets more vulnerable.

Remember, hardware wallets are similar to software wallets in that they provide a way to view the blockchain. If you use a hardware wallet to regularly connect and interact with DeFi protocols, it too can become compromised.

BadgerDAO Exploit

Background

Bitcoin is by far the most widely known cryptocurrency. Even the most crypto-skeptic know about Bitcoin and it is held by people from all levels of crypto experience. Bitcoin drives the entire crypto market but it is not as widely used in decentralized finance.

BadgerDAO is a decentralized autonomous organization created to give Bitcoin holders access to DeFi. Users of BadgerDAO have the ability to leverage their BTC holdings in the world of DeFi.

In early December 2021, the website was compromised and over $120M worth of assets were stolen. Users gave permission to a malicious smart contract which gave the hackers access to the contents of their wallets.

How did the exploit happen?

Hackers gained access to the frontend of the BadgerDAO website. They were able to add malicious code to prompt a wallet connection request to people accessing the website. Upon signing the approval request, the hackers gained access to their wallet. This was a seemingly normal part of interacting with a protocol so there were not necessarily any red flags from this request. The smart contracts that run the protocol were unaffected.

The hackers ended up waiting over 10 days before acting on the approvals they had received. On December 1st, a wallet containing over $50M worth of assets connected to the website and gave approval to the hackers. At that time, they acted on their scam by draining the assets of all wallets that had given them access. In total, they stole over $120M worth of assets.

How can this be avoided in the future?

Just because you trust a DeFi protocol does not mean that you need to leave unlimited permissions open indefinitely. If you don’t have a reason for your wallet to be accessed, you should revoke permissions and approve them again later.

Key Takeaways

Maintaining control over your wallet is one of the most important security measures you can take in DeFi. Many do not understand exactly what it means to approve access to their wallet and what is made possible with that confirmation.

To save time, most permissions are unlimited. This way, users don’t have to worry about constantly approving the protocol to use it. The price of this convenience is the potential for bad actors to have unlimited access to the wallet. People do not think twice about giving approval even if they won’t be using the protocol frequently.

Regularly review and revoke permissions that do not need to be active to protect your wallet from external threats.