Add method to revoke token allowance

[danfinlay]

Many exchanges and sites involve granting a token allowance, which leaves the user's token balance exposed to the delegate contract.

As the user's wallet, we should make it easy to revoke any permission that we make it possible to grant.

Where should we put this?

Our current permissions system is largely per-site, but allowances are per-contract, so while it may make a lot of sense to show the allowance in-line with a site's permissions, it isn't a perfect representation.

We may also want to show outstanding allowances in the token's view.

[danfinlay]

I'd love to be able to see my outstanding token allowances

• In a site's connections tab?
• In a tab on the token detail view?

@rachelcope

[jennypollack]

just found out about https://approved.zone/ - they might have some useful findings

[nathanielcook]

Would love to see some movement on this. When revoking using https://revoke.cash, https://approved.zone or https://tac.dappstar.io, the prompt makes it appear you are giving them an allowance. The ability to revoke (without trusting yet another third party) is super basic...like removing old oauth authorizations for something you used once and no longer trust. Metamask could offer this as a periodic security recommendation: "Do you still want to let these smart contracts transfer tokens on your behalf?"

[pulsationseutrr]

No progress? It's complicated to trust external sites. I would love to do it via Metamask

[DennisDyallo]

+1
this functionality needs to be embedded into Metamask. Users shouldn't have to search the net for trustworthy allowance revocation dapps. I know you're busy, but these are users funds we're talking about

[Amsumali]

we should see this in metamask right away and not discover this after it is too late

[holantonela]

I've been working on exposing token allowances in MM UI. Also, we want to allow users to submit an allowance update directly from the UI.

I've considered two primary user flows:

• As a user, I want to manage which allowance I give per token per account per network
  https://www.figma.com/file/8z4Csc3wlOIkUz2OP1eTZW/Secure-UX-Improvements?node-id=274%3A8950

• As a user, I want to manage all my allowances
  https://www.figma.com/file/8z4Csc3wlOIkUz2OP1eTZW/Secure-UX-Improvements?node-id=274%3A8950

Also, as thinking about this UX, I'm wondering about the vocabulary we should enforce during this flow:

• Allowance or spend limit?
• Unlimited or infinite?
• Revoke or decline?

In order to present a coherent flow, we may want to update the confirmation screen copy; a first approach here
https://www.figma.com/file/8z4Csc3wlOIkUz2OP1eTZW/Secure-UX-Improvements?node-id=398%3A8005

To keep users updated about their given allowances, we should send monthly reminders to review the allowances. A proposed notification here
https://www.figma.com/file/8z4Csc3wlOIkUz2OP1eTZW/Secure-UX-Improvements?node-id=273%3A7108

[pengu10]

Hi this seems like a basic feature with major implications that can be "easily" exploited by malicious dapps. Relying on third party sites to revoke token allowances seem like a chicken and egg problem/catch 22 for the user, how are we supposed to revoke allowances from the sites that revoke the allowances themselves ?

The only safe option for the time being is creating entirely new wallets to mitigate any risks of:

1. the revoke dapps (such as revoke.cash, etherscan revoke page) becomes unintentionally malicious
2. malicious contracts emptying wallets

the negatives of creating new wallets is that any previous contract interaction, such as being grandfathered into a protocol for being a previous user, is lost because the new wallet address does not get the old "benefits", one way around this is asking each dapp dev to change the address manually, which is highly unlikely to happen.

It has been quite hard to find this thread, i found it because google had indexed the twitter page https://twitter.com/metamask/status/1245769348364603392, i believe that this issue should clearly be communicated in a blogpost by the metmask team and advise for official and "safe" ways to proceed with revoking token allowances meanwhile this feature is implemented in the wallet UI.

from my understanding from the twitter post Metamask officially endorses
https://tac.dappstar.io/#/
https://ethallowance.com/
as applications that are safe to revoke allowances.

I believe integrating this feature directly in the metamask UI would greatly benefit the security all users of the wallet.

[nathanielcook]

advise for official and "safe" ways

FYI etherscan also recently added one https://etherscan.io/tokenapprovalchecker

[kamikazebr]

advise for official and "safe" ways

FYI etherscan also recently added one https://etherscan.io/tokenapprovalchecker

EDIT:
It show the allowances for rinkeby but when try connect the wallet it require the mainnet.
https://rinkeby.etherscan.io/tokenapprovalchecker

In fact if you use the Mainnet to connect on rinkeby link its works

Trying click on REvoke button it not change the network.

[Shankarshingri]

some of the stakeing has been done and now my wallet is hacked as i had one address which has unlimited allowance and if i revoke the allowance whether is is possible again them to hack my account. pls inform me whether i can change the linked wallet in staking, if it possible please reply

[antonio-fr]

FYI, I developed a web dapp to provide easy control for allowances management.
dappsprotect.com

[khoanguyen-yang]

FYI, I developed a web dapp to provide easy control for allowances management. dappsprotect.com

This is nice! Will you public the source code of this? Or may I ask where to find a source to map contract addresses to service names?

[dajsdslsshdbsj]

How does this work