Infinite Approval in Crypto: A Double-Edged Sword

Infinite Approval is a smart contract programming practice that allows the platform to spend any number of your coins.

What is Infinite Approval?

Unlimited Approval is the most common method of smart contract programing that can be considered problemically. The practice, in fact, is not only good, but also unproblematic. In this practice, the smart contract requires access to an unprecedented number of tokens from the user’s wallet, not just the required number.

In the Bancor exchange contract, an example of smart contracts programed in this way is the Bancor exchange contract. The system was first used, the user had to give the smart contract permission to withdraw an unlimited number of tokens from their wallet. In order to use it, he must give the smart contract permission to withdraw an unlimited number of tokens from his wallet.

Bancor’s smart contracts contained a vulnerability that allowed a hacker to steal all of the token units that the user gave permission to manage. Bancor programmers spotted the vulnerability before the attackers managed to steal the tokens. They also modified the systems to request permission only for the required number of tokens. The developers pre-empted the “theft” of users’ funds in order to return them later to avoid hacking.

After discussions around Bancor, it became clear that unrestricted approval is a very popular practice among DeFi app programmers. Popular decentralised apps Compound, Uniswap, bZX, Aave, Kyber and dY dX have unlimited or very large approvals, according to research by cryptocurrency researcher ZenGo.

A liquidity provider can provide a liquidity pool with $5,000 of Ether and $5,000 of DAI, a decentralised stablecoin pegged to the US dollar, to enable trading between the two. Thus, with each ETH/DAI trade, the liquidity provider would be compensated for topping up the pool.