Be Careful with Your DApp Authorizations!
When using crypto products such as wallets and exchanges, protecting the security of your assets is the No.1 priority. In “CoinEx Wallet Security Tips”, we will share some basic crypto know-how such as common scams, how to use crypto products safely, and blockchain security mechanisms from multiple perspectives to help you fully understand asset security and adopt enhanced protection measures.
As DeFi and NFT advance and become more widely adopted, new vitality has been injected into the crypto market. Apart from trading cryptos directly, users can also try out decentralized applications (DApps) that focus on lending, synthetic assets, and gaming. These DApps often involve contract interaction, and DApp users also face new potential risks, such as authorization risks.
Excessive authorization
When using crypto wallets to interact with a DApp, users first have to give authorizations to the DApp.
Suppose User A plans to deposit USDT on AAVE for financial services, then he would have to give USDT authorization to a lending contract deployed on AAVE, allowing it to transfer USDT and execute the corresponding operations.
This authorization process somewhat resembles authorizing your power supplier to deduct the electricity bill from your bank account every month. After granting the AAVE smart contract the relevant authorization, AAVE can then transfer USDT from User A’s account.
To avoid repeated authorizations, most DApp developers would set a default maximum amount of crypto that can be transferred by the corresponding smart contract, which makes it easier to execute subsequent operations. Moreover, this setting also avoids the trouble of having to give authorization each time the DApp is used, as well as the gas fee required by each authorization, making it an effective way to improve the user experience of DeFi. However, such operations also come with apparent risks. If there is a loophole in the smart contract or a malicious contract administrator, then users’ cryptos might be stolen, which is a problem due to excessive authorization.
Common authorization risks
1、ERC20 authorization risks due to unexpected errors
Loopholes are inevitable in the development of DApps. For example, the famous Bancor was once subject to program vulnerabilities that put users’ assets at risk.
In the relevant Bancor contract, ERC20transferFrom() was accidentally defined as public instead of private, which allowed anyone to execute the function and steal everything from the user’s wallet.
2、Attacks targeting ERC20 authorization
Apart from authorization risks arising from developer errors, there is also the risk that malicious players may exploit our DApp authorizations. For example, some DeFi applications trick people into giving authorization using airdrop tokens as the bait. They would say that you must deposit a certain amount of crypto to claim airdrop tokens, but once you decided to make a deposit, the scammers would ask for unlimited authorization.
For example, there was a DApp that encouraged users to deposit UNI in exchange for its native tokens. To claim the airdrop tokens, many users did not check the specific scope of the authorization and gave unlimited authorization without even noticing, which put their in-wallet assets at great risk. As a result, the scammers not only robbed users of UNI tokens in the DApp but also their UNI holding in the wallet.
How to guard against authorization risks
1、 Adopt different accounts
All projects, no matter how reliable they are, are subject to the possibility of attacks. Therefore, when interacting with DApps, we should try to use separate accounts. For instance, we could create a new address and transfer the assets required for the contract interaction to the new address when interacting with the DApp. In this way, even if the new address was hacked due to authorization, the cryptos in other accounts would stay intact.
2、Avoid excessive DApp authorization & cancel authorizations regularly
When interacting with a DApp for the first use, users will be asked to give authorization, which allows them to easily interact with the relevant contract later on. However, doing so also involves certain security risks. For instance, if the DApp was attacked, or if there is a malicious administrator, users would suffer losses. As such, we need to regularly cancel DApp authorizations that are not frequently used or set maximum transfer amount.
Additionally, we can also adopt an authorization manager to check the list of authorized contracts from time to time and cancel authorizations given to suspicious projects to eliminate potential security risks.
3、Avoid using unaudited DApps
Generally speaking, project teams will submit the project codes to a professional security company for audits. To minimize the risk of coding loopholes, such audits often involve multiple companies. Although audited contract codes and DApps are not 100% safe, they are at least safer than the unaudited ones.
Users should avoid using DApps whose codes have not been audited by security companies, especially those that promise high APY. Do not put assets at high risk for small profits.
4、Choose a secure crypto wallet
When we use a crypto wallet to interact with DApps, the wallet acts as the first security barrier. While interacting with a DApp, the wallet will remind us of the authorization risks. Therefore, when interacting with DApps, we should choose a secure crypto wallet like CoinEx Wallet.
To sum up, when using a crypto wallet, we must develop good habits, such as canceling unnecessary authorizations on a regular basis. In addition, we should also stay away from risky or suspicious DApps to keep our assets safe and secure.