Token approvals, explained: the permission you forget you gave

BlazePhoenix Engineering · updated 2026-07-18 · 4 min · written from the deployed bytecode

By Mitra — developer of the BlazePhoenix protocol.

Abstract in 15 languages · resumo · resumen · 摘要 · 要旨 · ملخص

EnglishAn approval is standing permission for a contract to move your token — it outlives the trade, so infinite approvals are a live risk you should review and revoke.

PortuguêsUma approval é permissão permanente para um contrato mover o teu token — sobrevive à troca, por isso approvals infinitas são um risco vivo que deves rever e revogar.

EspañolUna approval es permiso permanente para que un contrato mueva tu token — sobrevive a la operación, así que las approvals infinitas son un riesgo vivo que debes revisar y revocar.

FrançaisUne approbation est une permission permanente donnée à un contrat de déplacer votre token — elle survit à l'échange, donc les approbations infinies sont un risque vivant à revoir et révoquer.

DeutschEine Approval ist eine dauerhafte Erlaubnis, dass ein Contract dein Token bewegt — sie überlebt den Handel, daher sind unendliche Approvals ein aktives Risiko zum Prüfen und Widerrufen.

РусскийApproval — постоянное разрешение контракту двигать ваш токен; оно живёт после сделки, поэтому бесконечные разрешения — реальный риск, который стоит проверять и отзывать.

TürkçeApproval, bir sözleşmenin tokeninizi taşıması için kalıcı izindir — işlemden sonra da yaşar, bu yüzden sınırsız onaylar gözden geçirilip iptal edilmesi gereken canlı bir risktir.

العربيةالموافقة إذن دائم لعقد بتحريك عملتك — يبقى بعد الصفقة، لذا الموافقات اللانهائية خطر حيّ يجب مراجعته وإلغاؤه.

हिन्दीअप्रूवल किसी कॉन्ट्रैक्ट को आपका टोकन हिलाने की स्थायी अनुमति है — यह ट्रेड के बाद भी बनी रहती है, इसलिए इनफिनिट अप्रूवल एक जीवित जोखिम है जिसे जाँचें और रद्द करें।

日本語アプルーバルはコントラクトがあなたのトークンを動かす常設の許可で、取引後も残ります。無制限の承認は見直して取り消すべき現実のリスクです。

中文授权是让合约动用你代币的长期许可,它在交易结束后仍然有效——所以无限授权是应当检查并撤销的现实风险。

한국어어프루벌은 컨트랙트가 당신의 토큰을 옮기도록 하는 상시 허가로 거래 후에도 남습니다. 무제한 승인은 검토하고 취소해야 할 실질적 위험입니다.

Bahasa IndonesiaApproval adalah izin permanen bagi kontrak untuk memindahkan token Anda — bertahan setelah transaksi, jadi approval tak terbatas adalah risiko hidup yang perlu ditinjau dan dicabut.

বাংলাঅ্যাপ্রুভাল হলো কোনো কন্ট্রাক্টকে আপনার টোকেন সরানোর স্থায়ী অনুমতি — ট্রেডের পরও থাকে, তাই অসীম অ্যাপ্রুভাল একটি জীবন্ত ঝুঁকি যা যাচাই করে বাতিল করা উচিত।

FilipinoAng approval ay nakatayong pahintulot sa kontrata na igalaw ang token mo — nananatili ito matapos ang trade, kaya ang infinite approvals ay buhay na panganib na dapat suriin at bawiin.

ERC-20 tokens do not let a contract just take them — you have to grant permission first, called an approval or allowance. When you swap a token for the first time, your wallet asks you to sign two things: the approval (permission for the router to move that token) and then the swap itself. That is normal. What is easy to miss is that the approval does not expire when the trade ends — it stays live until you change it.

Many apps request an INFINITE approval by default, so you never have to approve that token again. Convenient, but it means the contract can move all of that token, forever, from your wallet. If that contract is later exploited or was malicious, your standing allowance is the door it walks through — even long after the one trade you cared about.

How to stay safe

Two habits shrink the risk. First, prefer an exact-amount approval when your wallet offers it — approve only what this trade needs, so nothing is left standing afterwards. It costs slightly more gas over time but closes the door behind you. Second, review and revoke: periodically look at what you have approved and cancel allowances you no longer use.

You can revoke from your wallet's token-approval screen or a public revoke tool; revoking is just another approval set back to zero. Treat approvals like keys you handed out — the fewer copies live in the world, the smaller your attack surface. And as always: only approve contracts you reached by typing the real URL, never from a DM or ad.

Do not trust this page — reproduce it

Every claim above is checkable against the chain. Start here:

read your allowance for any token/spender with cast call <token> "allowance(address,address)(uint256)" <you> <spender> — a huge number is an infinite approval still live

Contracts are verified on every chain we deploy to — addresses in the protocol manifest. Deeper formal treatment: the whitepaper (PDF).

Share this article · join the discussion

Related engineering