If you're new to Ethereum, encountering an "approval" transaction when interacting with a smart contract can be confusing. You might wonder what this step means, why it requires a separate transaction that doesn't send any assets, and why you still have to pay a gas fee for it.
This article breaks down the technical essence of the "approval" operation in simple terms.
Understanding the Approval Operation
When interacting with a smart contract that manages your token assets, the first step is often an approval operation. But why is this necessary?
Approval is a fundamental security mechanism in the Ethereum ecosystem, especially for tokens following the ERC-20 standard. It allows a smart contract to access a specific amount of tokens from your wallet without you having to transfer them manually for every action.
A Practical Example: NEST Oracle Mining
Consider Bob, a miner providing price data for the NEST oracle for the ETH/USDT pair. To submit a price quote, he must lock both ETH and USDT into the quotation contract—say, 10 ETH and 1,600 USDT.
Before doing this, Bob must approve the NEST quotation contract to access his USDT. This approval is a separate on-chain transaction that requires gas fees. It informs the USDT token contract that the quotation contract (Contract A) has permission to withdraw up to a certain amount of USDT from Bob’s wallet.
Later, if a verifier accepts Bob’s quote, Contract A can automatically execute the trade by withdrawing the approved USDT amount. Without this approval, the contract couldn’t access Bob’s tokens.
Why Approve ERC-20 Tokens but Not ETH?
You might notice that in the example above, Bob only approved USDT, not ETH. This is because ETH is Ethereum’s native currency. When you send ETH to a contract, the network’s built-in rules ensure the contract receives it, provided it has a payable function.
ERC-20 tokens, however, are managed by their own smart contracts. Transferring them doesn’t automatically notify the target contract. Instead, the token’s ledger is updated internally. Approval grants the target contract the right to initiate these ledger changes on your behalf.
The Two Steps of Token Approval
Approval involves two distinct stages:
- The Approval Transaction: You authorize a specific smart contract (Contract A) to withdraw up to a certain number of tokens from your wallet. This is recorded on the blockchain and requires gas.
- The Execution Transaction: Later, when Contract A’s logic requires it, the contract itself triggers the actual token transfer from your wallet. If the contract never needs to use your tokens, no transfer occurs, even if approval is granted.
In short, approval is about granting potential access, not executing an immediate transfer.
The Risks of Over-Approval
To improve user experience, many decentralized applications (dApps) request approval for a very large, almost unlimited amount of tokens. This is known as over-approval.
While convenient, this practice carries significant risk. If the approved smart contract has a vulnerability or its admin turns malicious, your entire approved token balance could be stolen. It’s like giving a vendor a blank check.
Prominent wallets and dApps, like imToken and NEST, have implemented features to combat this. The NEST DApp, for instance, includes an authorization management page where users can review and revoke approvals they no longer need. Similarly, imToken clearly displays authorization details and provides a dedicated section for users to manage their permissions. To stay safe, it's wise to review and manage your token approvals regularly.
Is There a Way to Skip Approvals?
Technically, yes. An ERC-20 token could be designed with a function that transfers tokens and calls a method on the target contract in a single transaction. This would eliminate the need for a separate approval step.
However, most mainstream tokens prioritize simplicity and security by adhering to the standard ERC-20 specification, which keeps the transfer and approval functions separate. This maintains the "pure" functionality of the token contract, ensuring broad compatibility across the ecosystem. For those looking to dive deeper into advanced smart contract interactions, you can explore more strategies here.
Frequently Asked Questions
What exactly does approving a token mean?
Approving a token means you grant a specific smart contract permission to withdraw a certain amount of tokens from your wallet. It’s a security feature that allows dApps to operate with your assets without you having to manually sign every single transaction.
Why do I have to pay gas for an approval if no tokens are moved?
The approval itself is a transaction that updates the state of the blockchain. You are paying gas for the computational work required to record your permission on the public ledger, which is a necessary step for future automated transactions.
Is it safe to approve unlimited tokens?
No, approving an unlimited amount is risky. If the smart contract you approved is compromised, an attacker could drain all the tokens you approved. It is much safer to approve only the amount needed for your immediate transaction or to use dApps that allow for easy approval management and revocation.
Can I revoke an approval after I've given it?
Yes, you can revoke an approval at any time. This is done by sending a new approval transaction that sets the allowed amount to zero. Many modern wallets and dApps have built-in interfaces to make this process simple and straightforward.
Do I need to approve every time I use a dApp?
Not necessarily. Many dApps request a one-time, large approval to save you time and gas fees on future interactions. However, due to the security risks, some users prefer to approve smaller amounts more frequently or use revoke tools after each session.
What's the difference between sending tokens and approving them?
Sending tokens transfers them directly to another address. Approving tokens does not transfer them; it only grants another smart contract the permission to transfer them from your wallet at a later time, based on its programmed rules.