Infinite Approval

Understanding Infinite Approval

Infinite approval is a concept in smart contract programming that is often viewed as problematic. It involves a smart contract requiring authorization to access an unlimited number of tokens from a user’s wallet, rather than just the necessary amount.

An instance of a smart contract programmed with infinite approval can be found in the decentralized exchange Bancor. When a user initially interacts with the system, they are required to authorize the smart contract to withdraw an unlimited number of tokens from their wallet.

Bancor’s smart contracts had a vulnerability that could have potentially allowed a hacker to steal all the tokens authorized by the user. Fortunately, the developers of Bancor identified this vulnerability before any malicious actors could exploit it. They promptly made adjustments to their systems so that only the required number of tokens would be requested for approval. As a precautionary measure, the developers temporarily assumed control of user funds and later returned them to prevent any potential hacks.

Following the controversy surrounding Bancor, it was discovered that infinite approval is a common practice among decentralized application programmers. Research conducted by a researcher at crypto wallet ZenGo revealed that popular decentralized applications such as Compound, Uniswap, bZX, Aave, Kyber, and dYdX all incorporate infinite or significantly large approvals.

For instance, a liquidity provider may contribute $5,000 worth of Ether and $5,000 worth of the USD-pegged decentralized stablecoin DAI to a liquidity pool. This enables trading between the two assets. Whenever a trade occurs on the ETH/DAI pair, the liquidity provider receives compensation for their contribution to the pool.