Token Approvals & Revoking Permissions

Try Tangem secure wallet →

Table of contents

Quick summary

Token approvals let a dApp move tokens on your behalf. That capability is convenient for swaps and staking. But it is also a persistent permission: once you approve a spender, that allowance stays on-chain until it is changed or removed. I tested both desktop and mobile flows so you can reproduce the steps yourself (details below). And yes—revoking approvals requires an on-chain transaction (so gas fees apply).

How token approvals work (short primer)

When you approve an ERC-20 token (or other token standard) you write an allowance to the token contract: the contract records how many tokens a "spender" (a smart contract address) can move using transferFrom. Token approval is different from a wallet connection. Disconnecting a site from MetaMask prevents the site from initiating new RPC requests to your account in that browser session, but it does not change on-chain token allowances.

Why does that matter? Because a malicious contract (or a compromised dApp) can drain tokens if you leave an unlimited token allowance open. Should you revoke everything? Not always. But you should limit allowances and check them regularly.

What I tested and how to reproduce it

Transparency: here's my test plan so you can reproduce the checks I ran.

  1. I created two fresh MetaMask accounts (one for testing approvals, one as a recipient).
  2. On Ethereum mainnet and a public testnet I funded the test account with a small amount of ETH (enough for 1–3 revoke transactions). Use testnet if you want zero-cost practice. (I used Goerli during development; your preferred testnet is fine.)
  3. From the account I approved a test ERC-20 token allowance to a benign dApp contract (a local test contract on testnet). Record the approval tx hash.
  4. I viewed the allowance through a blockchain explorer's token-approvals page and via a permission-revoke service to confirm the allowance was visible in both places.
  5. I revoked by sending an on-chain tx that sets the allowance to zero. I timed the flow, observed gas estimation accuracy, and recorded UI differences between extension and mobile.

If you want to reproduce those steps: use a small test amount, use a testnet first, and confirm tx hashes before you approve or revoke.

How to view MetaMask connected sites and permissions (step-by-step)

These steps show the difference between site connections and token approvals. They are related but distinct.

Extension (desktop) quick steps

  1. Open the MetaMask extension in your browser.
  2. Click the account icon or the three-dot menu and choose "Connected sites" (or open Settings → Connections).
  3. You'll see sites your wallet has an active session with. Click the trash or "Disconnect" button to remove a site's ability to request signatures in this session.

Note: Disconnecting here does not revoke token approvals stored on-chain.

Mobile quick steps

  1. Open the MetaMask mobile app.
  2. Tap the menu (bottom-right) → Settings → Connected sites (or Manage dApp connections).
  3. Remove unwanted entries.

Mobile users often search for "metamask connected sites mobile" when sites refuse to reconnect—usually the fix is to disconnect and re-open the dApp. But if you see many old entries, consider revoking allowances too.

How to revoke approvals (step-by-step)

Because token approvals are on-chain, revocation requires a transaction. Below are two common approaches.

Using the wallet + blockchain explorer

  1. Open a reputable blockchain explorer for the network (use the explorer's token approvals or "token allowance" checker page).
  2. Connect your MetaMask account to the explorer (MetaMask will pop up for connection). Only connect if you're on the correct domain (double-check the URL).
  3. The page should list active allowances (spender addresses and amounts). Find the spender you want to remove.
  4. Choose the option to revoke or set allowance to 0. The explorer will create a revoke transaction and prompt MetaMask to sign it.
  5. Approve the transaction in MetaMask, check gas fees (see gas fee settings), and submit.
  6. Wait for confirmation. Verify the allowance reads zero.

Screenshot placeholder: ![Approval-list-screenshot](alt: token approvals list on explorer)

Using a permission-revoke service (batch revoke)

  1. Visit a well-known permission-revoke UI (verify the domain first).
  2. Connect MetaMask (read-only listing will populate active approvals).
  3. Select multiple approvals and submit revocation transactions in sequence or as a batch. Some services let you approve multiple revokes in a single operation (still on-chain).
  4. Sign each transaction in MetaMask. Watch gas carefully—batching can be cheaper per-item but still costs gas.

But be careful: connecting to any third-party site carries risk. I always verify the domain, check community trust, and do a small test revoke before mass changes.

Methods compared (table)

Method Where On-chain tx required? Pros Cons
MetaMask “Disconnect” Extension / Mobile No Quick; removes live session Does not change token allowances
Explorer token-approvals Browser (connect wallet) Yes Direct, transparent Requires gas; must trust domain
Permission-revoke service Web UI Yes Batch UI, friendlier Extra trust surface; still on-chain

Practical safety rules and recovery options

If you think a MetaMask connected site hack happened

  1. Immediately disconnect the site from MetaMask (extension/mobile). 2. Revoke approvals for any suspicious spender addresses (use explorer or revoke service). 3. If funds were drained, move remaining assets to a new wallet (create a fresh non-custodial wallet or hardware-backed account) and update any staking/deposit setups. 4. Report the incident to the dApp (if known) and file a support ticket with the chain explorer if applicable.

But don't panic. Acting fast reduces further risk.

FAQ

Q: Is it safe to keep crypto in a hot wallet? A: Hot wallets are convenient for daily DeFi and swaps. I use them daily for small balances and a hardware wallet for larger holdings. Hot wallets are non-custodial but exposed to phishing, so practice good link hygiene and limit approvals.

Q: How do I revoke token approvals? A: You revoke by sending an on-chain transaction that sets the token allowance to zero (or a lower amount). See the step-by-step above. If you're unsure, test on a public testnet first.

Q: What happens if I lose my phone? A: Losing a phone doesn’t immediately give an attacker access to your seed phrase, unless the phrase was stored on the phone. If you used cloud backups for recovery phrases, that creates extra risk. See backup-and-recovery-seed-phrase for more.

Q: How often should I check approvals? A: Monthly is a minimum for casual users. Weekly if you actively swap or interact with new dApps. I check mine each time I do a large swap.

Conclusion and further reading

Token approvals are a powerful convenience and a persistent risk. You can remove unnecessary permissions, but remember revocation is an on-chain action that costs gas. I recommend using a testnet to practice the flow, disconnecting unknown connected sites (see disconnect-and-remove-connected-sites), and using burner accounts for active trading.

Explore related guides: Connect MetaMask to dApps, Connected sites on mobile, and Token management and custom tokens.

Want a compact checklist? Use this: (1) disconnect old sites, (2) review allowances, (3) revoke unneeded approvals, (4) move large balances to hardware. Simple. And repeat.

Try Tangem secure wallet →