What Is a Token Approval Scam? How Wallet Drainers Work
Updated 2026-06-04 · 6 min read
Most people picture crypto theft as a stolen seed phrase. But a huge share of wallet losses happen a different way: you sign a transaction that hands a scammer permission to move your tokens, and they empty your wallet later — no password and no seed phrase required. These are token approval scams, and they're the engine behind most 'wallet drainers'. Here's exactly how they work and how to protect yourself.
What a token approval actually is
To trade an ERC-20 token on a decentralized exchange, you first grant the exchange's contract permission — an 'approval' — to move that token on your behalf. This is normal and necessary: Uniswap, 1inch and every other DEX need it to execute your swap, and the approval is a separate transaction from the swap itself.
The catch is in the amount. Many apps request an unlimited approval (an effectively infinite allowance) so you never have to approve that token again. Convenient — but it means the approved contract can move your entire balance of that token, at any time in the future, until you revoke it.
How the scam works
A malicious site — a fake airdrop, a counterfeit mint page, a 'claim your reward' link, or a pixel-perfect clone of a real dApp — asks you to connect your wallet and 'approve' or 'enable' a token. The button looks routine. What you're actually signing is an unlimited approval to an attacker-controlled contract.
Nothing is stolen at that moment, which is what makes it so effective: your balance looks untouched, so you move on. Later, the attacker's contract calls the token's transfer function and drains the approved balance whenever it suits them. The same trick works with NFT approvals (setApprovalForAll), which can sign away an entire collection in one click.
Permit and Permit2: the gasless version
Newer drainers often use off-chain signatures instead of on-chain approvals. With Permit and Permit2, a single signed message — which costs no gas and may not even look like a 'transaction' — can authorize a transfer of your tokens. Because there's no gas prompt, victims frequently don't realize they authorized anything at all.
Treat any signature request the way you'd treat a transaction: read what it says. A signature that mentions a spender, an allowance, or a token you didn't intend to trade is a red flag — reject it.
How to check and revoke your approvals
You can review every approval your wallet has ever granted. Block explorers such as Etherscan have a 'Token Approvals' tool, and dedicated revoke services list active allowances by token and spender. Anything you no longer use — or never recognized granting — should be revoked. Revoking is an on-chain transaction that costs a little gas but closes the door permanently.
Make it a habit: review approvals periodically, and especially right after interacting with any new or unfamiliar dApp. If a wallet may have touched a drainer, revoke immediately and move the remaining funds to a fresh wallet — a malicious approval keeps working until it's revoked.
How to avoid approval scams in the first place
Approve only what you need: when an app offers a custom approval amount, set it to what you're actually trading instead of unlimited. Never approve tokens on a site you reached from a DM, a giveaway or an unsolicited 'airdrop' notification. Bookmark the real URLs of the dApps you use and check them every time. And keep a separate 'burner' wallet for minting and experimenting, apart from your main holdings, so one bad signature can't empty everything.
SafuScan focuses on vetting the token before you buy — liquidity, authorities, honeypot status — which removes a big reason people end up on sketchy sites chasing risky tokens in the first place. A wallet-approval scanner that flags dangerous active allowances is on the SafuScan roadmap; until then, a revoke tool plus the habits above are your best defense.
Run every check in this guide automatically in seconds — free, no wallet needed.
Frequently asked questions
Yes. If you sign a token approval or a Permit signature that grants a malicious contract permission to move your tokens, the attacker can transfer them later without ever knowing your seed phrase or password. The approval itself is the key.
Revoking sets a token allowance you previously granted back to zero, so the spender contract can no longer move that token. You can do it from a block explorer's token-approval tool or a revoke service; it's an on-chain transaction that costs a small amount of gas.
Not inherently — major, audited DEX contracts use them safely. The danger is granting an unlimited approval to an unknown or malicious contract. When possible, approve only the amount you're trading, and revoke approvals you no longer use.
Not always. Off-chain signatures (Permit/Permit2) can authorize token transfers with no gas prompt. Read every signature request; if it references a spender, an allowance, or a token you didn't mean to trade, reject it.