Infinite approval (also called unlimited approval) is when a DeFi user grants a smart contract the permission to spend an unlimited amount of a given token from their wallet — the maximum possible uint256 value, effectively “approve everything forever” — rather than approving only the specific amount needed for the current transaction. This practice became ubiquitous because DeFi UX tools like MetaMask defaulted to requesting unlimited approvals, and users got tired of paying separate gas fees for approval transactions on every swap. The convenience comes at a meaningful cost: any wallet that has granted infinite approval to a smart contract is fully exposed if that contract is exploited, its admin key is compromised, or the contract is later upgraded maliciously. Billions of dollars in DeFi losses trace back to infinite approvals on contracts that users forgot they’d approved years earlier.
How Token Approvals Work
ERC-20 tokens implement an allowance system: before a smart contract can spend your tokens, you must explicitly approve() it to do so. The approval specifies:
- The spender — which smart contract address is allowed to move your tokens
- The amount — how many tokens that contract can take
When the contract executes (e.g., a swap), it calls transferFrom() which checks that the amount requested ≤ your current allowance.
Exact vs. Infinite Approval
“`
// Exact approval — approve only what you need this transaction
approve(uniswapRouter, 1000 USDC)
// Infinite approval — approve the maximum possible number
approve(uniswapRouter, 2^256 – 1) // 115 quattuorvigintillion USDC
“`
Both are valid ERC-20 operations. The difference is that after the exact approval is consumed by the swap, you’d need to approve again next time. With infinite approval, the allowance never runs out — the contract can take your tokens anytime.
Why Infinite Approvals Are Common
User experience: Approving a specific amount means two transactions for every DeFi interaction:
- Approve N tokens → gas
- Execute the swap/deposit → gas
With infinite approval, subsequent transactions skip step 1, saving gas and reducing friction. For a user doing 20 swaps per month on the same DEX, this might save $50–200 in gas costs on Ethereum mainnet.
Wallet defaults: MetaMask and many other wallets historically defaulted to requesting the maximum amount when a dapp requested approval. Most users click through without changing the amount.
Protocol design: Many DeFi protocols are designed assuming they’ll have infinite approval. Some protocols don’t even support partial approval properly.
The Security Risk
Every infinite approval is a permanent open door. If any of the following happens, the spender contract can drain your tokens:
| Risk | Description | Example |
|---|---|---|
| Contract exploit | The approved contract has a bug that lets attackers call transferFrom on behalf of users |
Dozens of DEX router exploits |
| Upgradeable proxy attack | Contract is upgradeable; admin updates the implementation to malicious code | Time-locked proxy risks |
| Admin key compromise | Admin of contract is a multisig or EOA; key is stolen, contract turned malicious | Multiple rug pulls and hacks |
| Malicious approval phishing | Malicious dapp tricks user into signing an approval for an attacker’s contract disguised as a legitimate one | NFT phishing attacks |
| Old, abandoned contracts | A contract you approved years ago has a new vulnerability discovered | Approval to deprecated contract versions |
Notable Incidents
- Various router exploits — DeFi routers that had infinite approvals from thousands of wallets; a bug in the router let attackers redirect funds
- Phishing waves (2022–2024) — Fake NFT mint sites collected infinite approvals on NFT contracts; once approved, the attacker could sweep NFTs from wallets at any time
How to Protect Yourself
1. Use Exact Approvals
2. Revoke Unused Approvals
- Revoke.cash — most popular; shows all approvals per chain; one-click revoke
- Etherscan Token Approval Checker — official Etherscan tool; works for Ethereum mainnet
- DeBank — shows approvals alongside portfolio; multi-chain
Best practice: After finishing with a protocol (e.g., done using a DEX for a few months), revoke its approval. Treat approvals like granting someone a key to your house — revoke when you no longer need them there.
3. Use Permit2 (Uniswap)
4. Hardware Wallets for Large Holdings
Comparison: Approval Models
| Model | Security | UX Convenience | Gas Efficiency |
|---|---|---|---|
| Exact approval per transaction | Highest | Lowest (extra tx every time) | Least efficient |
| Infinite approval | Lowest | Highest (one-time per protocol) | Most efficient |
| Permit2 (signed, expiring) | High | Good | Efficient |
| ERC-20 Permit (EIP-2612) | High | Good (gasless approval) | Most efficient |
EIP-2612 Permit is the cleanest long-term solution: allows off-chain signed approvals (no approval transaction) for exact amounts with expiry timestamps. Increasingly adopted (stETH, USDC, DAI support it), but requires protocol-level support.