Infinite Approval

Pre-approving smart contracts to enable the platform to spend any amount of your coins.

What Is Infinite Approval?

Infinite approval is a smart contract programming practice, often considered to be problematic. This programming feature sees a given smart contract require authorization to access an unlimited number of tokens from the user’s wallet instead of only the number that is actually needed.

An infamous example of a smart contract that was programmed this way is one employed by decentralized exchange Bancor. When a user first used the system, he had to give the smart contract an authorization to withdraw an unlimited number of tokens from his wallet.

Bancor’s smart contracts also contained a vulnerability that could have allowed a hacker to steal all the units of the token that the user authorized the contract to manage by leveraging this vulnerability. Fortunately, Bancor’s programmers noticed before malicious actors could steal the tokens and later modified their systems to only ask for approval for the needed number of tokens. The developers preemptively “stole” user funds to return them later to avoid a hack.

After the controversy surrounding Bancor, it surfaced that infinite approval is a very popular practice among decentralized application programmers. Research conducted by a researcher at crypto wallet ZenGo revealed that popular decentralized applications Compound, Uniswap, bZX, Aave, Kyber and dYdX all feature infinite or extremely large approvals.

For instance, a liquidity provider may provide a liquidity pool with $5,000 worth of Ether and $5,000 of USD-pegged decentralized stablecoin DAI to allow trading back and forth between the two. This way, every time a trade on the ETH/DAI is executed, the liquidity provider would receive compensation for having funded the pool in question.