“Revoke” is always safe, right? That’s what most crypto users believe, especially since “revoke” is often considered a key part of Web3 wallet hygiene. Unfortunately, scammers have found a way to exploit this very feature. In our previous Web3 Wallet Security blogs, we covered the risks inherent in approving smart contract transactions without carefully verifying all the details. In this blog, we’ll break down what fake approval scams are, how scammers manipulate the “revoke” feature to their advantage, and most importantly, how you can avoid falling victim to these tactics.
What are fake approval scams?
Fake approval scams exploiting “revoke” trick users into thinking they’re taking back transaction permissions given to unfamiliar platforms or smart contracts. When users attempt to do this, they end up paying exorbitant “gas fees,” all while believing they’re securing their wallets.
The Lure: While browsing their token approvals on a blockchain explorer like Etherscan or inside their wallet, the user spots an unfamiliar approval for a token they don’t recognize. It looks like some unknown contract has access to their valuable assets. Panic sets in, and the user instinctively rushes to revoke the approval, believing they’re protecting their crypto.
The Trick: However, no real approval was ever granted in the first place. The scammer hasn’t touched the user’s tokens. Instead, they’ve played with the way the wallet or blockchain explorer displays information to make it seem like access has been granted to an unfamiliar contract. It’s nothing more than a clever visual trick – a fake approval designed to look legitimate. No access was ever granted, but when the user tries to revoke it, that’s where the scam trigger gets pulled.
The Gas Gimmick: The “revoke” transaction the user triggers is real – it’s a legitimate action, but it’s designed to cost them an arm and a leg in fees. The scammer profits from these inflated transaction costs, often using them to mint new tokens or execute other malicious actions under their control. What the user thought was a protective move turned into an expensive mistake. The fake approval was merely bait to lure them into paying for nothing.
While these scams don’t directly steal funds, they exploit the user by draining their wallet through outrageously high gas fees, leaving the rest of their assets untouched.
The Costly Loop: And the worst part? That sneaky approval doesn’t disappear from the explorer. If the user believes the revoke failed, they may try again, unknowingly feeding the scammer more funds. Each attempt escalates the loss, as the scammer gets another chance to pocket the user’s crypto. The more the user tries to fix it, the deeper they fall into the trap.
Real-Life example
In the image below, you’ll notice that the chain explorer indicates the user has granted unlimited approval for a “BEP-20 TOKEN*” to an unknown spender. This alarming sight can trigger panic, making the user believe they’ve unknowingly authorized a malicious contract.
However, in reality, this is a fake USDT token, and the scammers have manipulated the display to create the illusion of prior approval.
A closer look at the transaction page reveals that 300 supposed approval calls have been generated for multiple addresses linked to this fraudulent token. This tactic is designed to amplify the urgency, pressuring the victim into taking immediate action.
When the user attempts to revoke the approval, they are instead hit with exorbitant fees – ranging from a few dollars to potentially hundreds and more. These fees aren’t just wasted; the scammer actively exploits them, using the transaction to mint new tokens or execute additional malicious actions, all while remaining unnoticed.
In the example above, the victim’s attempt to revoke the approval backfired. The scammer leveraged the transaction for their own gain, leaving the user with unexpectedly high fees and no resolution: the misleading approval remained visible, reinforcing the illusion that another attempt was necessary.
How to Spot and Avoid These Scams
Stay calm
Scammers count on fear and urgency to push you into making a mistake. If something seems off, take a step back, breathe, and assess the situation before acting. A clear head is your best defense against falling into their trap.
Double-Check before you click
Before approving any transaction, take a moment to review the details. Does the amount look right? Do you recognize the contract address? Are there any odd warnings or unusual fees? If something feels off, cross-check with trusted sources, platforms or forums.
Know your fees
Familiarize yourself with the average size of gas fees on the chains you use. If a transaction fee looks suspiciously high or unusual, it could be a red flag. Use tools like Etherscan’s Gas Tracker, GasNow, or Blocknative’s Gas Estimator to monitor real-time gas prices and verify expected costs before proceeding.
Constantly educate yourself
Scammers are always refining their tactics, but knowledge is your strongest defense. The more you understand about emerging threats and security best practices, the better equipped you are to spot red flags before they become costly mistakes. Stay informed with Binance Academy, and dive into our security series for deeper insights of the latest frauds.
Final thoughts
Scammers thrive on urgency, but a little vigilance goes a long way. The best defense against these deceptive tactics isn’t just knowing they exist, but staying one step ahead by double-checking approvals, verifying fees with trusted tools, and never rushing into transactions. Remember, extra caution isn’t paranoia – it’s an additional layer of protection in the dynamic world of Web3.
