CoinDesk recently drew attention to this problem — but they weren’t aware it has been solved
Dapps have a dirty secret: they can often access an unlimited number of tokens from your wallet. Sounds crazy, but that’s the reality behind the innocuous-sounding ERC20 Approve method.
Here’s how we solved it.
First, how could a Dapp access all my tokens?
Traditionally, when your wallet interacts with a Dapp it uses the ERC20 approve method. This gives the Dapp permission to transfer tokens from your wallet, up to a ceiling.
Contrary to the CoinDesk headline, it’s actually not a bug. Asking for such a high amount of tokens was a deliberate design choice: one that prioritized convenience over security. This is because it sought to minimize how many transactions you have to make with the Dapp.
Here’s how accessing Dapps used to look. Not so welcoming. Or safe. (Image credit: Saturn Network)
The problem, aside from poor user experience, is how insecure it is.
Dapps would usually ask you to approve an insanely high number, e.g. 10⁵⁰. Pretty much unlimited.
You could be wiped out if there was a bug or malicious actor.
What was done about it?
Some people argued that you could inspect a Dapp’s smart contracts to check it wouldn’t steal all your tokens. But this is complex, ignores the risk that developers can upgrade the smart contracts, and doesn’t protect the majority of people who don’t know how to read through a smart contract.
How we solved it
We’ve solved this through two separate approaches to accessing Dapps.
a) Integrating Dapps natively in Argent
We’ve natively integrated a handful of core DeFi Dapps (Maker, Compound, Kyber, Aave, TokenSets and more) — to help you borrow, earn and exchange.
We integrated these at smart contract level and ensured that only the amount requested is approved. And this all happens automatically under the hood — it’s invisible to Argent wallet owners.
Safer, and much easier too.
b) Connecting to desktop Dapps
As well as our native Dapp integrations you can also use Argent to access desktop Dapps. We do this through WalletConnect (a standard for connecting mobile wallets to desktop Dapps).
We’ve customized our WalletConnect integration to make it even safer. There are three main security features, as we wrote in this post.
1. Only approve what you want to spend
Argent detects if a Dapp is requesting a large amount and encourages you to only approve the amount you want to spend.
(We also call it ‘pre-authorize’, not approve, to clarify the process).
2. Protected by your daily transaction limit
With Argent you choose a daily transaction limit. Any transactions that exceed this limit are blocked for 24 hours. You can unblock them with your Guardians (your hardware wallets or friends you trust).
This limit also applies to the amount you pre-authorize a Dapp to take. This means there’s no risk of anyone draining your wallet.
3. Easily revoke a Dapp’s access to a token
Changed your mind about a Dapp? Revoke their access with a tap.