Learn · Security

What is a token approval and why does it matter?

Before a decentralized exchange can move your ERC-20 tokens, you have to grant it permission through an approval. This small, easy-to-overlook step is one of the most important security surfaces in DeFi: approvals are how routers swap your tokens, and they are also how drained wallets get drained. Understanding what an approval grants, the difference between exact and unlimited allowances, and why stale approvals are a standing risk turns a confusing extra transaction into a deliberate security decision.

Why approvals exist

ERC-20 tokens do not let arbitrary contracts move them by default. For a router to execute your swap, it must be authorized to transfer the specific token on your behalf. That authorization is the approval: a transaction that sets an allowance — a maximum amount the spender contract may move. Native coins like ETH or BNB need no approval because they are not ERC-20 tokens; only tokens require this step, and only the first time you trade them through a given router.

Exact vs unlimited allowances

Many interfaces default to an unlimited allowance so you only approve once. The convenience is real, but so is the risk: an unlimited approval is a permanent standing permission. If the approved contract is later compromised or was malicious to begin with, it can move that token from your wallet up to the limit, without prompting you again. Approving the exact amount you intend to trade closes that window at the cost of an extra approval next time.

Why stale approvals are dangerous

Approvals do not expire on their own. Over time you accumulate allowances to dozens of contracts, many of which you used once and forgot. Each is a door that remains unlocked. The largest DeFi losses for ordinary users often trace back not to a bad trade but to an old unlimited approval on a contract that was later exploited. The allowance you forgot about is exactly the one an attacker uses.

Managing approvals well

Prefer exact approvals for tokens that hold real value. Periodically audit your active allowances per chain with a reputable checker and revoke the ones you no longer need — revoking sets the allowance back to zero. And never approve a transaction or sign a message you do not understand; drainer sites rely on users clicking through prompts without reading what permission they are granting.

Approvals are not the same as signatures

One more distinction worth internalizing: an on-chain approval is a transaction that costs gas and sets a token allowance, while a signed message is an off-chain signature that costs nothing but can also authorize actions — including, on some token standards, gasless permit approvals. Drainers increasingly abuse signature prompts precisely because they look harmless. Read what a signature requests as carefully as a transaction, and reject anything whose purpose you cannot state plainly.

Legal

Risk disclosure

XAUConnect is a non-custodial swap aggregator. Digital assets are volatile and may lose value rapidly. Content on this page is educational and not investment advice. Verify every contract address on the official block explorer before approving a transaction.

Frequently asked questions

Why does my swap need an approval transaction?

ERC-20 tokens require explicit authorization before a router can move them. The approval grants that permission; native coins like ETH skip it.

Should I approve unlimited or exact amounts?

Exact is safer for valuable tokens because it closes the standing risk between trades. Unlimited is convenient but leaves a permanent permission you must remember to review.

Do approvals expire?

No. They remain active until you revoke them, which is why old unlimited approvals are a common path for wallet drains after a contract is compromised.

How do I stay safe with approvals?

Prefer exact allowances, audit and revoke stale ones periodically, and never sign an approval or message you do not understand.

Live execution

Trade on XAUConnect

Open the swap page to compare live routes, set slippage, and sign from your own wallet — fully non-custodial.

Open swapExplore markets

Continue exploring

Related markets, guides & networks

Curated next steps based on this topic — deepen your research before you trade.

Guides
Articles
Platform

Build programmatically

Swap via API for bots and AI agents — quotes, builds, and cross-chain routes.

Developer quickstart