Every time you interact with a decentralized application — swapping tokens, providing liquidity, minting an NFT — you almost certainly signed a token approval. That approval grants a smart contract permission to move your tokens on your behalf, often with no spending limit and no expiration date. If that contract is later exploited, upgraded to a malicious version, or simply abandoned, an attacker can drain your wallet without you signing anything new. Understanding how to audit and revoke those approvals on MetaMask and Rabby Wallet is one of the most practical security habits any crypto holder can build. This guide walks you through the exact steps on both wallets, explains the tools available, and tells you what to prioritize first.
Why Token Approvals Are a Persistent Risk
Token approvals are governed by the ERC-20 approve() function and the ERC-721/ERC-1155 setApprovalForAll() function. When you call approve(spender, amount), you authorize a specific address — usually a smart contract — to transfer up to amount tokens from your wallet at any future time. The Ethereum Foundation’s developer documentation confirms that approvals remain valid indefinitely unless explicitly revoked by the token owner.
The practical consequence: wallets accumulate dozens or hundreds of live approvals over time. A 2022 post-mortem on the Badger DAO exploit, which resulted in roughly $120 million in losses, showed that attacker-injected scripts leveraged existing unlimited approvals that users had never revoked. The tokens never left users’ custody through a malicious transaction they signed — the approval they signed months earlier did the damage.
How to Revoke Token Approvals Directly in MetaMask
MetaMask added a built-in approval management interface in its extension. The path differs slightly between the browser extension and the mobile app.
MetaMask Browser Extension (v11+)
- Open MetaMask and click the three-dot menu in the top-right corner.
- Select Settings → Security & Privacy.
- Scroll to Token Approvals and click View on Explorer — this redirects to Etherscan’s Token Approvals tool for your connected address.
- Alternatively, navigate to Activity, find the original approval transaction, and use the Etherscan link to locate the spender contract.
MetaMask itself does not render a full approval dashboard inside the extension as of early 2026; it relies on block explorers for the full list. The MetaMask Knowledge Base article titled “How to revoke smart contract allowances/token approvals” documents this flow explicitly.
Using Etherscan’s Token Approvals Tool
- Go to etherscan.io/tokenapprovalchecker and connect your wallet.
- The tool lists every active ERC-20 approval grouped by token, showing the spender address and the approved amount.
- Click Revoke next to any approval you want to remove. MetaMask will prompt you to confirm a transaction that calls
approve(spender, 0), setting the allowance to zero. - Pay the gas fee to confirm. The approval is removed on-chain once the transaction is mined.
Etherscan also supports ERC-721 NFT approvals via the same interface. Each revocation is a separate on-chain transaction with its own gas cost.
How to Revoke Token Approvals in Rabby Wallet
Rabby Wallet, developed by DeBank, ships with a native approval management dashboard — one of its most cited security features. Unlike MetaMask’s redirect approach, Rabby surfaces approvals without leaving the wallet UI.
Rabby’s Built-In Approval Management
- Open the Rabby browser extension and click the Approvals tab in the sidebar (shield icon).
- Rabby fetches and categorizes your approvals across all connected EVM chains simultaneously — Ethereum, Arbitrum, Base, Polygon, and others.
- Each entry shows the token, spender contract name (when identifiable), the approved amount, and a risk score. Rabby flags contracts marked as risky by its security engine.
- Click Revoke next to any approval. Confirm the transaction in the wallet prompt.
The Rabby documentation describes this feature under “Approval Management” in its official help center. The cross-chain view is particularly useful because many users forget approvals granted on Layer 2 networks where gas was cheap and approvals were signed casually.
Third-Party Revocation Tools Worth Knowing
Two additional tools are widely used and worth bookmarking alongside your wallet’s native features.
- Revoke.cash — An open-source tool (MIT license, source on GitHub) that supports over 80 EVM-compatible chains. It displays token and NFT approvals, sorts by risk level, and allows batch revocations where the network supports it. The project’s documentation notes it reads data directly from on-chain logs and does not require email or account creation.
- DeBank’s approval scanner — Integrated into the DeBank portfolio interface. Because Rabby is built on DeBank’s infrastructure, the data shown in both tools is consistent.
When using any third-party tool, verify the domain carefully before connecting your wallet. Phishing sites mimicking Revoke.cash have appeared in search ads — always navigate from a bookmarked URL or the project’s verified GitHub page.
What to Prioritize When Auditing Approvals
A wallet with 200 approvals does not require 200 revocations. Apply a triage approach:
- Unlimited approvals first. Any approval showing “Unlimited” or a very large number (e.g., 2^256 − 1, the maximum uint256 value) should be reviewed immediately. These are the highest-risk entries.
- Inactive or deprecated protocols. If you no longer use a protocol, revoke its approvals. Even audited contracts can be upgraded or have ownership transferred.
- Unknown or unverified spender addresses. If Etherscan or Rabby cannot identify the spender contract by name, treat it as elevated risk.
- NFT setApprovalForAll grants. These allow a contract to transfer any NFT in the collection from your wallet. Revoke these unless you are actively using the approved marketplace or contract.
The Gas Cost Reality of Revoking Approvals
Each revocation is an on-chain transaction. On Ethereum mainnet, revoking an ERC-20 approval typically consumes around 45,000–60,000 gas. At moderate gas prices this costs a fraction of a dollar to a few dollars. On Layer 2 networks like Arbitrum or Optimism, the cost is negligible — often under one cent.
If you have many approvals to revoke on mainnet, consider batching the work over multiple sessions during low-gas periods (typically late nights UTC on weekdays, per historical Ethereum gas data). Some tools like Revoke.cash support multi-revoke transactions on chains that implement EIP-2612 permit-style patterns, but standard ERC-20 revocations require individual transactions.
What This Means for You
Token approval hygiene is not a one-time task — it is a recurring practice. After any significant DeFi session, spend two minutes in Rabby’s Approvals tab or Revoke.cash to remove approvals you no longer need. If you primarily use MetaMask, bookmark Etherscan’s Token Approvals Checker and run it monthly. Prioritize unlimited approvals and approvals granted to contracts you no longer interact with. The gas cost of revoking approvals is almost always less than the cost of a single exploited position.
Both MetaMask and Rabby continue to improve their native approval tooling — MetaMask’s Q4 2025 roadmap referenced enhanced in-wallet approval visibility — but neither wallet prevents you from granting approvals in the first place. The responsibility for auditing and revoking them remains with you.
