How to Mitigate Contract Authorization Risks with CoinEx Wallet
DeFi has been regarded as one of the biggest crypto innovations ever since its birth. According to DefiLlama, the Total Value Locked (TVL) of DeFi peaked at $180 billion in December 2021, and the figure is still well above $40 billion despite the current crypto bear. That said, as DeFi went viral, it has suffered frequent security scandals. In particular, the excessive authorization of contracts is the most frequently mentioned security risk.
Users of NFT marketplace Opensea received phishing emails in February 2022, which led to the hacking of mainstream NFTs worth over $4 million; this October, Transit Swap, a fast swap platform was hacked, resulting in a loss of $28.9 million in funds. Both incidents are related to contract authorization.
Contract authorization is an essential requirement of most DApps, and the contract will not be able to call the relevant assets if no authorization is given, which means that the DApp cannot help you swap or stake your tokens.
Although many users believe that their authorization is granted only for a single transaction, developers tend to set the default authorized amount to “Unlimited” in order to avoid repeated authorizations, saving both Gas and time. However, that default setting raises security concerns: If there’s a malicious developer, or if a vulnerability of the contract is exploited, the attacker would be able to transfer users’ tokens without having to get any consent.
CoinEx Wallet now allows users to customize the spend limit of DApps to help users protect their assets and prevent large asset losses, and users can adjust the authorized amount when granting authorizations to third parties.
For instance, when swapping USDC into USDT in PancakeSwap, we first need to grant USDC authorization to PancakeSwap’s contract before the swap, and the authorization window will pop up once we click on “Enable USDC”.
At this point, if you are using CoinEx Wallet, you’ll notice a clear sign reminding you that the authorization will allow the contract to transfer USDC from your wallet, and you’ll be advised to examine if the link is trustworthy to prevent asset theft through malicious contracts.
On the Request Permissions page, we can tell that the spend limit is “Unlimited USDC”. For security concerns, the token amount authorized should be minimized. More specifically, we can click on Spend Limit and change the figure to the exact amount required for the transaction.
Apart from setting a small spend limit, we also advise users to withdraw their authorizations regularly to keep their assets secure. Below are some of the common blockchain explorers that allow users to revoke their authorizations. After connecting your wallet with one of these explorers, you can check your authorizations like spend limits and revoke them as needed.
Revoke authorization on ETH: https://etherscan.io/tokenapprovalchecker
Revoke authorization on BSC: https://bscscan.com/tokenapprovalchecker
Revoke authorization on Polygon: https://polygonscan.com/tokenapprovalchecker
Revoke authorization on AVAX: https://snowtrace.io/tokenapprovalchecker
Revoke authorization on HECO: https://www.hecoinfo.com/en-us/tokenapprovalchecker
When using products such as crypto wallets and exchanges, asset security is the No.1 concern. Going forward, CoinEx Wallet will continue to enhance its security performance, build multiple shields, and help users manage their cryptos in a secure manner.