What is approval phishing in DeFi?

Approval phishing is when a malicious dApp tricks you into signing a transaction that grants the attacker permission to spend your tokens. The transaction looks like a normal DeFi interaction (swap, stake, claim), but the underlying call gives the attacker's contract unlimited approval to transfer your tokens.

How do I know if my wallet has been compromised?

Check your token approvals using tools like Revoke.cash, Etherscan's approval checker, or Rabby Wallet's approval manager. If you see approvals to unknown contracts or contracts that allow unlimited spending, revoke them immediately.

Can I get my tokens back after an approval phishing attack?

Usually no. Once the attacker transfers your tokens, they're gone. Some centralized exchanges can freeze stolen funds if they reach a CEX, but on-chain theft is generally irreversible. The best defense is prevention.

What's the safest way to approve token spending?

Use limited approvals (specific amount, not unlimited), approve only trusted dApps, revoke old approvals regularly, and use a separate wallet for risky interactions. Revoke.cash and similar tools make this easy.

Approval Phishing in DeFi: How to Protect Your Wallet (2026)

Worried about approval phishing in DeFi? You should be — it's the #1 attack vector in 2026, costing users over $500M annually. Here's the quick version: a malicious dApp tricks you into signing a transaction that gives the attacker permission to spend your tokens, often unlimited. Below is how the attack works, the 6 most common patterns, and 7 rules to keep your wallet safe.

What Is Approval Phishing?

Approval phishing exploits the ERC-20 approve function. When you swap tokens on Uniswap or stake on Aave, you grant the protocol permission to spend your tokens. This is necessary for the protocol to work — they need to transfer your tokens on your behalf.

Approval phishing tricks you into granting this permission to a malicious contract instead of a legitimate one. The malicious contract can then drain your tokens at any time, without further interaction from you.

The attack typically unfolds like this:

You visit a website that looks like a legitimate DeFi protocol (often via a phishing link on Twitter, Discord, or Google ads).
You connect your wallet and try to make a swap or claim an airdrop.
The site asks you to sign a transaction. The transaction looks normal in your wallet, but the underlying call grants the attacker's contract unlimited approval to spend your USDC, USDT, or other tokens.
You confirm the transaction.
Minutes or days later, the attacker's contract transfers all your approved tokens to their wallet. The transaction has no obvious link to the original approval.

You don't lose access to your wallet — the attacker can't drain all your assets. But they can drain any tokens you approved to their contract.

Why Approval Phishing Is So Effective

Approval phishing is the most successful DeFi attack vector for several reasons:

It's invisible: the approval transaction looks like a normal DeFi interaction. Most users don't read the underlying call data.
It's delayed: the attacker can wait days or weeks before draining. The user has forgotten about the original approval.
It's unlimited: most DeFi dApps request unlimited approval (to save gas on future transactions). Attackers do the same, but the unlimited part means they can drain everything.
It bypasses security training: even users who know about phishing may not understand the difference between approval and transfer.
It's hard to detect: there's no obvious sign of compromise. Your wallet looks normal until tokens start disappearing.

The 6 Common Attack Patterns

Pattern 1: Fake Airdrop Claims

The most common pattern. A Twitter or Discord account posts about a new airdrop. You visit the site, connect your wallet, and click "claim." The site requests an approval for your USDC or ETH. You sign it, expecting to receive free tokens. Instead, you've given the attacker permission to spend your USDC. Days later, your USDC is gone.

Example: the Inferno Drainer kit (2023) stole $80M+ via fake airdrop claims. It operated as a phishing-as-a-service for hire.

Pattern 2: Phished Protocol UIs

The attacker creates a pixel-perfect copy of a real DeFi protocol (Uniswap, Aave, etc.) and tricks you into using it. The fake UI requests approvals to the attacker's contract instead of the real protocol. You think you're swapping on Uniswap; you're approving the attacker's contract.

Defense: bookmark official URLs. Never click DeFi links from social media or search ads.

Pattern 3: Malicious Browser Extensions

Wallet drainer extensions masquerade as legitimate wallet plugins. They intercept your transactions and replace legitimate calls with malicious approvals. The user sees a normal transaction in their wallet UI, but the actual on-chain call is malicious.

Defense: only install wallet extensions from official sources. Verify the publisher.

Pattern 4: Permit Signatures (EIP-2612)

Permit signatures are a newer attack vector. Instead of approve, the attacker uses permit (off-chain signature) to grant the attacker allowance. You sign a message in your wallet, and the attacker can submit the permit on-chain later. No transaction needed.

Example: the Banana Gun Telegram bot was exploited in 2024 via permit signatures, draining $1.4M.

Defense: read the permit details carefully. Legitimate permits usually have clear "Permit" labels. Be suspicious of any signature request that doesn't match the action you're taking.

Pattern 5: DNS Hijacking

Attackers hijack the DNS of a real protocol. Users type the correct URL but are redirected to a phishing site. This is rare but devastating because even savvy users get caught.

Example: Curve Finance's DNS was hijacked in 2022. Users who typed curve.fi were redirected to a phishing site that requested approvals.

Defense: use bookmarks. Check the SSL certificate. If a site looks different, disconnect immediately.

Pattern 6: Compromised Protocol Front-Ends

Sometimes the front-end of a legitimate protocol is compromised. The code on-chain is fine, but the website you interact with has malicious JavaScript that requests approvals to attack contracts. This has happened to Badger DAO, LayerZero, and others.

Defense: use a wallet that simulates transactions (Rabby, Pocket Universe) and shows warnings for unusual calls.

How to Check If You've Been Compromised

Use these tools to check your wallet's current approvals:

Revoke.cash (revoke.cash): the most popular approval checker. Shows all your current approvals with risk scores.
Etherscan Token Approval Checker (etherscan.io/tokenapprovalchecker): official Etherscan tool.
Rabby Wallet: built-in approval manager in the wallet UI.
Approved.zone: portfolio-level approval audit.
Cookie3 DeFi Approval Checker: shows approvals with phishing risk flags.

Check monthly. If you see any of the following, revoke immediately:

Approvals to contracts you don't recognize
Approvals with "unlimited" amount to non-major protocols
Approvals from old airdrop claims or test transactions
Approvals to contracts that are unverified on Etherscan

How to Revoke Approvals

Revoking is free (you pay gas only). Steps:

Visit Revoke.cash.
Connect your wallet.
Review the list of approvals.
For each suspicious approval, click "Revoke."
Confirm the transaction in your wallet. This sets the allowance back to 0.

After revoking, the contract can no longer transfer your tokens. The next time you use that dApp, you'll need to approve again. This is the trade-off — you pay gas twice for cleaner security.

7 Rules to Prevent Approval Phishing

Read every transaction. Wallet UIs hide most of the call data by default. Use a wallet that decodes the call (Rabby, Frame) and shows what the contract will do. If you see approve when you expected a swap, abort.
Use limited approvals. Instead of approving the default unlimited amount, manually set a specific amount (e.g., 100 USDC). You'll pay more gas over time, but the loss is limited if compromised.
Use a separate wallet for risky interactions. Your main wallet (with your long-term holdings) should never connect to unknown dApps. Use a burner wallet for new protocols, airdrop claims, and test interactions. Fund the burner with only what you need.
Bookmark official URLs. Never click DeFi links from Twitter, Discord, or search ads. Phishing sites are the #1 vector.
Revoke approvals monthly. Set a calendar reminder. Visit Revoke.cash and clean up.
Use a transaction simulation tool. Rabby Wallet, Pocket Universe, and Blowfish simulate transactions and warn about malicious calls.
Never sign permit messages for unknown sites. Permit signatures are a fast-growing attack vector. Treat any permit signature request as suspicious.

Wallet Tools for Better Approval Safety

Rabby Wallet: built by DeBank, decodes every transaction, has a built-in approval manager, and shows risk warnings.
Frame Wallet: similar to Rabby with strong transaction simulation.
MetaMask with Blowfish: Blowfish is a transaction simulation API that warns about malicious calls before you sign.
Pocket Universe: browser extension that simulates transactions and shows what will happen.
Fire: a wallet focused on approval safety with built-in revocation.

What to Do If You Get Drained

If you've been approval-phished:

Revoke all approvals immediately. Visit Revoke.cash and revoke everything to limit further damage.
Move remaining funds to a new wallet. The attacker may have other vectors. Create a fresh wallet and transfer assets.
Check your transaction history. Identify the malicious approval and the drain transaction. This helps trace the attacker.
Report to the protocol. If you were phished via a fake version of a real protocol, report the phishing site so the real protocol can warn others.
File a police report. The chances of recovery are low, but having a report helps if the attacker is identified.
Don't pay "recovery" services. Scammers contact victims pretending to offer recovery services. They ask for upfront fees and disappear.

Will Approval Phishing Ever Stop?

Probably not entirely. The ERC-20 approval mechanism is fundamental to DeFi — without it, you couldn't swap, stake, or lend. As long as approvals exist, attackers will try to exploit them. The good news: wallets and tools are getting better at warning users about malicious approvals. In 2026:

EIP-7702 (proposed): allows batched approvals with explicit per-call authorization. Would reduce the attack surface.
Session keys: protocols like Session.js and Biconomy offer scoped, time-limited permissions instead of unlimited approvals.
Smart accounts: ERC-4337 smart contract wallets can require additional confirmation for high-risk operations.
Better wallet UIs: every major wallet now shows decoded calls and risk warnings. The user experience is improving.

For now, follow the 7 rules above and check your approvals monthly. The 30 seconds of cleanup is worth the protection.

Bottom Line

Approval phishing is the most dangerous DeFi attack in 2026 because it's invisible, delayed, and unlimited. The defenses are clear: read every transaction, use limited approvals, use a burner wallet for risky interactions, bookmark official URLs, and revoke approvals monthly. Tools like Revoke.cash, Rabby Wallet, and Pocket Universe make this easier than ever. The 30 seconds of monthly cleanup is worth the protection. Don't be the user who loses $50K to an approval they signed three weeks ago and forgot about.