Token Approvals & Revoking Access in MetaMask

---

Overview

Token approvals (also called token allowances) let a smart contract move tokens from your address after you sign an approval transaction. Why revoke approvals? Because leaving a large or unlimited allowance opens a path for a compromised dApp or contract to drain tokens. What I've found is that many people think disconnecting a dApp from MetaMask removes its access — it doesn't (more on that below). And yes, revoking approvals usually requires an on-chain transaction that costs gas.

This guide explains how to revoke token approvals in MetaMask, how to revoke contract MetaMask permissions, and how to remove connected sites. I describe the exact steps I used in my tests so you can replicate them safely.

Connected sites vs token allowances

Short version: "disconnecting" a dApp stops it from reading your wallet via the injected provider, but it does not change allowances stored in a token contract.

• Connected sites: a UI-level permission. Removing it prevents automatic pop-ups and site-initiated requests. Useful for privacy and convenience.
• Token allowances: an on-chain variable inside the ERC-20 token contract. Setting allowance to 0 requires a transaction.

How to remove MetaMask connections (desktop & mobile)

How to remove MetaMask connections is a common question. Here are practical steps.

Desktop extension (typical flow):

1. Open the MetaMask popup while on the dApp tab.
2. Click the account icon / menu and look for "Connected Sites" or "Connected Accounts".
3. Find the site domain and click "Disconnect" or "Remove".

Mobile (typical flow):

1. Open the MetaMask app.
2. Tap the menu (top-left or top-right), go to Settings -> Connections (or Connected Sites).
3. Tap the site and choose "Disconnect".

Removing a connection answers "revoke wallet access MetaMask" at the UI level. But remember: disconnecting does not revoke token approval allowances.

How to revoke token approvals (step-by-step)

Below are three practical ways to revoke contract permissions in MetaMask. Each requires you to know the spender contract address (the contract that was approved).

Method A: Use a block explorer’s contract "write" (generic steps)

This is the most direct, network-native approach.

1. Find the token contract address (from your wallet or token list). Copy it.
2. Open a blockchain explorer for the same network (mainnet or the L2 you used). Search the token contract.
3. Use the explorer's "Read Contract" section to call allowance(owner, spender) with your wallet address and the dApp/contract address to confirm the current allowance.
4. Switch to "Write Contract" (you will need to connect MetaMask). Call approve(spender, 0) (or decreaseAllowance if the token implements it) to set allowance to zero.
5. Confirm the MetaMask transaction and wait for confirmation. Check the allowance again to verify.

Notes: Some tokens require you to first set allowance to zero before setting a new value. Also, revoking is an on-chain write and will consume gas (see gas-fees-eip1559-and-l2 for strategies).

Method B: Use a read-only revocation UI (open-source interfaces)

There are open-source revocation interfaces that present a list of your approvals and let you revoke with a click. Workflow:

1. Open the revocation UI, select the network.
2. Connect your wallet (read-only connection) and review the approvals list.
3. Revoke selected approvals; MetaMask will prompt to sign each revocation transaction.

Security tip: prefer open-source, auditable tools (and verify the website URL). But don't assume a revoke UI is risk-free — double-check the spender addresses before confirming.

Method C: Revoke from the dApp if available

Some dApps provide a "revoke" or "disconnect" button inside their UI that triggers an on-chain transaction to set allowance to 0. If the dApp offers it, this is convenient. Still, confirm the spender address and gas estimate in MetaMask before signing.

Quick comparison: revoke options

Method	Convenience	Gas overhead	When to use
Block explorer (write)	Medium	Standard on-chain cost	When you know token & spender addresses; deterministic method
Revocation UI (open-source)	High	Multiple small on-chain txs	When you have many approvals to tidy up quickly
DApp "revoke" button	Easiest	Standard	If the dApp offers a built-in safety option

How I tested this (reproducible methodology)

I ran reproducible checks on a test token and on a small mainnet sample. Steps so you can replicate:

1. Use a test network (or an L2 with cheap gas) to avoid spending mainnet ETH while learning.
2. Deploy or locate an ERC-20 token contract and a simple spender contract (or use a dApp you control).
3. From MetaMask extension (Chrome) approve the spender for a non-zero amount.
4. Confirm the allowance via the explorer's allowance read method.
5. Revoke using the block explorer write flow: call approve(spender, 0) and confirm in MetaMask.
6. Verify the allowance is now 0.

In my experience, approve/revoke transactions are single writes (tens of thousands of gas). Gas spikes on mainnet matter, so test first on a testnet.

Cancelling pending contract interactions in MetaMask

What if you accidentally signed an approval and it’s pending? Can you cancel a contract interaction MetaMask? Short answer: sometimes.

• If MetaMask shows a "Cancel" option for the pending tx, use it.
• If not, create a replacement transaction with the same nonce and a higher gas fee (Speed Up feature or manual replacement). This replaces the pending tx when mined first.

See cancel-and-speed-up-transactions for a full how-to.

Security checklist and best practices

• Avoid unlimited approvals. If a dApp requests an unlimited allowance, consider using a one-time or minimal allowance instead.
• Revoke approvals for dApps you no longer use (use a revocation UI or the contract write flow).
• For large balances, prefer a hardware wallet for signing approvals (see integrate-hardware-ledger-trezor).
• Keep your seed phrase offline (read backup-and-recovery-seed-phrase).
• Disconnect sites you don't use (see disconnect-and-remove-connected-sites and manage-dapp-connections).

But remember: revoking allowances is a post-factum mitigation. The safest pattern is to limit permissions from the start.

FAQ

Q: Is it safe to keep crypto in a hot wallet? A: Hot wallets are convenient for daily DeFi activity, but they expose you to signing attacks and phishing. For large holdings, use cold storage or a hardware wallet.

Q: How do I revoke token approvals? A: Use a block explorer to call approve(spender, 0) or a trusted revocation UI to send the revocation transaction. Confirm the spender address before signing.

Q: What happens if I lose my phone? A: If your phone had the hot wallet and its seed phrase backup is compromised or lost, funds are at risk. Restore from your seed phrase on a new device if you still control the seed. See recover-lost-wallets and backup-and-recovery-seed-phrase.

Q: How do I cancel a contract interaction in MetaMask? A: Use the Cancel or Speed Up options in the pending transaction. If unavailable, replace the transaction with the same nonce and higher gas. See cancel-and-speed-up-transactions.

Wrap-up and next steps

Revoking token approvals and removing dApp connections are simple, but they're different actions with different effects. In my experience, taking 5–10 minutes each month to audit approvals is good hygiene (and it has saved me from a bad approval once). And if you're actively swapping or moving tokens, factor the gas cost of revokes into your routine.

Want more practical walkthroughs? Check these related guides: Connect MetaMask to dApps, Disconnect and remove connected sites, and Approvals & revoke guide. If you want to practice safely, try the block-explorer interact flow on a testnet before executing on mainnet.

Happy securing your wallet — and if you try these steps and hit a snag, see troubleshooting for common errors.