Check smart contract approvals to prevent NFT theft
You signed a transaction on a site that looked legitimate. It asked you to connect your wallet and approve access to your collection. You clicked "Confirm." Forty-eight hours later, every NFT you owned was transferred to an address you have never seen.

Check Smart Contract Approvals to Prevent NFT Theft
If you have ever listed an NFT on a marketplace, minted from a project site, or interacted with any decentralized application, you have granted at least one smart contract permission to move assets from your wallet. Some of those permissions are legitimate and necessary. Many are not. And unless you are actively reviewing and revoking them, every outdated or malicious approval is an open door waiting to be walked through.
The Hidden Danger of setApprovalForAll in NFT Collections
The ERC-721 and ERC-1155 token standards — the frameworks that govern nearly all NFTs — include a function called setApprovalForAll. When a smart contract calls this function and you sign the transaction, you grant that contract blanket permission to transfer any and every token in that collection from your wallet. Not one token. Not a specific token. Every single NFT you hold under that contract, present and future, without requiring any further confirmation from you.
For related context, see Brand NFTs — utility, membership and ticketing.
This function exists for practical reasons. Marketplaces like OpenSea, Blur, or Rarible need it so that when you list an NFT for sale, their contracts can move the token to an escrow or fulfill a trade on your behalf. Without setApprovalForAll, you would need to approve each individual listing, which would be prohibitively expensive in gas fees and slow down the trading experience.
The problem is scope. When you grant setApprovalForAll to a legitimate marketplace, you are trusting that contract and its administrators indefinitely. When you grant it to a malicious contract — often disguised as a minting page, a fake airdrop claim, or a phishing site — you hand over complete control of your collection to an attacker.
Here is what makes this dangerous: the approval persists until you explicitly revoke it. You might have signed a one-time transaction six months ago on a site you have already forgotten. That approval is still active. The contract you granted access to might have been legitimate at the time but has since been compromised, or it might have been malicious from the start. Either way, the permission remains live on the blockchain, waiting.
Every setApprovalForAll you have ever signed is still active until you pay gas to revoke it. Your wallet's history is a map of open attack surfaces.How Malicious dApps Exploit Smart Contract Permissions
The exploitation chain is disturbingly simple, and understanding it is the first step toward defending against it.
Step one: the bait. You encounter a link — through Discord, Twitter, a compromised project website, or a direct message. It promises an exclusive mint, a free airdrop, a reward claim, or a limited-time trading opportunity. The site is professionally designed. It mimics the visual language of legitimate projects.
Step two: the connection. The site asks you to connect your wallet. This part is normal. Every dApp interaction begins with a wallet connection. The critical moment comes next.
Step three: the approval request. Instead of — or in addition to — a simple transaction, the site prompts you to sign a setApprovalForAll function. The transaction details in your wallet interface may be vague or obscured. Some advanced phishing kits even display a misleading message on the wallet popup, making the approval look like a routine minting or claiming action. You sign it.
Step four: the drain. The attacker's contract now has unrestricted transfer authority over your NFT collection. They can execute batch transfers, moving every token to their own address or to a series of laundering wallets. This typically happens within minutes, often automated by a bot monitoring for new approvals.
Step five: the liquidation. Your stolen NFTs are listed on marketplaces at below-floor prices and sold instantly. By the time you realize what happened, the assets are gone, the funds are mixed through privacy protocols, and recovery is practically impossible.
This is not a sophisticated exploit requiring advanced coding skills. Phishing kits that automate the entire process — from site generation to transaction monitoring to asset liquidation — are sold openly on dark web forums. The barrier to entry for attackers is low. The barrier for victims to protect themselves is simply awareness and routine maintenance.
A Step-by-Step Protocol for Auditing Your Wallet
You need to treat your smart contract approvals the same way you treat your home's door locks: check them regularly, and remove any that are unnecessary. Here is exactly how to do it.
1. Open Revoke.cash
Navigate to Revoke.cash and connect the wallet you want to audit. Revoke.cash is the most widely used and trusted tool for this purpose. It reads the blockchain directly and displays every active approval your wallet has granted — for ERC-20 tokens, ERC-721 NFTs, and ERC-1155 NFTs.
2. Review Each Approval by Category
Revoke.cash organizes approvals into clear categories. Focus on three columns of information:
- The approved contract: This is the address or recognized name of the contract you granted permission to. If you do not recognize it, flag it immediately.
- The type of approval:
approvegrants access to a single token.setApprovalForAllgrants access to an entire collection. Prioritize reviewingsetApprovalForAllpermissions first, as these carry the highest risk. - The token collection: Which specific NFT collection or token standard does this approval cover? Cross-reference it with your memory of past transactions.
3. Use Etherscan's Token Approval Checker
For a second opinion or if you want to verify directly on-chain, use Etherscan's Token Approval Checker. Navigate to the tool on Etherscan, paste your wallet address, and it will display the same approval data. This is particularly useful if you want to inspect the smart contract code of an unfamiliar approval before deciding whether to revoke it.
4. Revoke Suspicious or Unnecessary Approvals
When you identify an approval you no longer need or do not recognize, click "Revoke" in Revoke.cash or "Cancel" in Etherscan's interface. This will initiate a blockchain transaction that sets the approval to zero, effectively closing the door.
Critical detail: revoking an approval requires a blockchain transaction. You must pay gas fees for every revocation. On Ethereum mainnet, this typically costs between a few dollars and twenty-plus dollars depending on network congestion. On Layer 2 networks like Arbitrum, Base, or Polygon, the cost is significantly lower — often under a dollar.
| Network | Typical Revocation Gas Cost | Speed |
|---|---|---|
| Ethereum Mainnet | $2–$25 (varies with congestion) | 15–60 seconds |
| Polygon | $0.001–$0.05 | 2–5 seconds |
| Arbitrum | $0.10–$1.00 | Near-instant |
| Base | $0.05–$0.50 | Near-instant |
The gas fee for revoking a malicious approval is the cheapest insurance you will ever buy for your NFT portfolio.
5. Document Your Baseline
After your initial audit, record the contracts you have intentionally approved and the reasons why. This becomes your baseline. On future audits — which you should conduct at least monthly — compare your current approval list against this baseline. Any new approval you do not remember signing is a red flag.
The Reality of Gas Fees and Revocation
There is a persistent friction point that discourages people from revoking approvals: the cost. Paying gas to remove a permission feels like an unnecessary expense, especially if the approval was granted to a well-known marketplace and seems harmless.
Understand this trade-off clearly. The gas fee for a revocation transaction is a fixed, low-cost action. The cost of having your NFT collection drained — which could be worth hundreds, thousands, or tens of thousands of dollars — is catastrophic and irreversible. Revoking approvals does not recover stolen assets. It prevents the theft from happening in the first place. Smart financial security practices extend beyond traditional banking — they apply with even greater urgency in decentralized finance, where there is no fraud department to call and no chargeback mechanism to invoke.
You can minimize revocation costs by conducting audits during periods of low network activity — typically weekends or late nights (UTC). You can also batch your revocation sessions so you handle multiple approvals in a single sitting rather than reacting one at a time.
If you are active on multiple chains, remember that approvals are chain-specific. An approval granted on Ethereum mainnet does not affect your assets on Polygon, and vice versa. You need to audit each chain independently using Revoke.cash, which supports dozens of networks.
Why Your Hardware Wallet Cannot Save You Here
This is the section most people do not want to hear, but it is the one you need to internalize.
A hardware wallet — a Ledger, Trezor, or similar device — provides a critical layer of security: it stores your private key offline and requires physical button confirmation for every transaction. This means that even if malware compromises your computer, an attacker cannot execute a transaction without physically pressing the button on your device.
But here is what a hardware wallet does not do: it does not analyze what you are confirming.
When you press the button on your Ledger to approve a setApprovalForAll transaction, the hardware wallet executes it faithfully. It does not warn you that you are granting blanket access to an entire NFT collection. It does not flag that the contract you are approving is suspicious. It signs and broadcasts the transaction exactly as requested.
This is a fundamental misunderstanding in the community. People believe that a hardware wallet makes them immune to smart contract exploits. It does not. A hardware wallet protects your private key from being extracted by malware. It does not protect you from making poor decisions about which transactions to sign.
The defense against setApprovalForAll phishing is not a hardware device. It is your ability to read the transaction details before you confirm. If your wallet interface shows setApprovalForAll and you were expecting a simple mint or claim, stop. Do not sign. Investigate the contract address. Check community channels for reports. Slow down.
Your Mandatory Security Protocol
Follow this protocol. Do not negotiate with it. Do not tell yourself you will get to it later.
1. Audit your approvals now. Open Revoke.cash, connect every wallet you use, and review every active permission. Do this today.
2. Revoke anything you do not actively use. If you are not currently listing an NFT on a marketplace, there is no reason to maintain setApprovalForAll for that marketplace. Grant access only when you need it, and revoke it when you are done.
3. Read every transaction before signing. Do not skim wallet popups. If the function name is setApprovalForAll and you did not expect it, do not sign. Verify the contract address on Etherscan. Check the project's official channels.
4. Schedule monthly audits. Set a recurring reminder. Treat it like changing smoke detector batteries — unglamorous but non-negotiable.
5. Use a separate wallet for experimentation. If you want to mint from unverified projects or test new dApps, do it from a wallet that holds no significant assets. Keep your primary portfolio isolated.
6. Never trust a link from a DM. No legitimate project will ever send you a mint link through Discord or Twitter direct messages. This is the single most common delivery mechanism for phishing sites that trigger setApprovalForAll exploits.
Your wallet is not a passive storage unit. It is an active interface with the blockchain, and every approval you grant is a live permission that persists indefinitely. Treat those permissions with the same vigilance you would treat the keys to your front door. Check the locks. Remove the ones you do not need. And never hand a key to someone you have not verified.