The increaseAllowance function is a part of some ERC-20 token contracts, a function that is used to increase the amount of tokens that a specified address (the spender) is allowed to withdraw from your account. But this feature is being used by phishers to extract funds from ‘negligent’ users; even seasoned veterans of the game get caught. Today we take a look at this type of phishing scam and see a case where one trader loses more than 20 million dollars this way.
Biggest Crypto Phishing Scam Ever
In one of the potentially largest crypto phishing incidents to date, the victim lost approximately $24.23 million in stETH and rETH. This unfortunate event unfolded when the victim inadvertently granted token approval to the scammer by signing an “increaseAllowance” transaction.
The scammers swiftly converted the stolen funds into ETH and DAI, subsequently transferring them across multiple addresses.
The victim, identified by the address 0x13…179e, is a seasoned player in the crypto space, with significant on-chain experience. This individual is a substantial liquidity provider (LP), offering more than $1.6 million in WBTC/USDT liquidity on Uniswap V3. The protocols they have used span a range of platforms, including Aave, 1inch, Curve, OMG, EOS, and more.
The earliest transaction associated with this address (0xf8…1110) dates back to June 2017 and originated from Bitfinex.
How Does IncreaseAllowance Work?
The function takes two parameters: the spender’s address and the amount by which the allowance should be increased. When you call increaseAllowance(spender, amount), you are giving the spender permission to withdraw an additional amount of tokens from your account.
This function can often be called even when there is no initial approval set, which means it can effectively be used as an approval function.
This underscores the need to be cautious when approving transactions labeled as “Increase Allowance,” especially if you’re not given details of the amount involved.
What’s the Problem with the Original Approve Function?
The original ERC-20 specification included an approve function to set the allowance for a spender. However, this function has clearly led to many problems.
Imagine a scenario where you use the approve function to allow a spender (let’s call him Bob) to withdraw 100 tokens from your account. Later, you decide you want to reduce Bob’s allowance to 50 tokens. So, you call approve(Bob, 50). However, if Bob is monitoring the transaction pool (mempool), he can see your new transaction and quickly transfer the original 100 tokens before your new transaction is confirmed.
This would result in Bob possessing 100 of your tokens and still having permission to withdraw an additional 50, because the new allowance only overwrites the old one after the transaction is confirmed.
How Does DecreaseAllowance Solve This Problem?
To mitigate the risks associated with the approve function, some token contracts include a decreaseAllowance function. If you call decreaseAllowance(Bob, 50), you’re reducing Bob’s allowance by 50 tokens. If Bob tries to transfer 100 tokens after seeing the transaction in the mempool, the transaction will likely fail because the decrease in allowance has already been processed, leaving Bob with zero allowance.
Alternatively, if Bob isn’t monitoring the mempool, the decreaseAllowance function will reduce his allowance as expected, leaving him with only 50 tokens’ worth of allowance.
Best Practices for Token Permissions
Unlocking tokens is always a necessary step when engaging with new contracts. However, it’s equally important to revoke any token permissions you may have with previous contracts as a best practice.
The Smart Contract Allowance Checker is a tool designed to help you manage and monitor your token approvals. It allows you to find and revoke all the addresses that have the ability to spend your tokens. By regularly using this tool, you can mitigate the risk of token approval exploits.
