Revoke.Delegate: Automating Token Approval Revocation with MetaMask's Delegation Toolkit

Token smart contracts include an approve() function that allows another address to spend tokens on behalf of the token holder. This is a core part of the smart contract ecosystem today; without it, many DeFi applications would not be possible. For example, trading tokens on a decentralized exchange like Uniswap needs token approval before a swap can happen.

However, token approvals come with significant risks. Granting a smart contract permission to spend tokens means it can do so at any time. If a contract is hacked or contains malicious code, attackers can exploit these approvals to steal tokens.

Existing solutions like Revoke.cash track wallet approvals, and allow on-demand revocation. However, they rely on a manual process that must be done before or during an exploit, which is not always practical. Revoke.delegate – a hackathon project built at EthGlobal '24, offers a more efficient solution by automatically revoking approvals during an exploit, eliminating the need for constant monitoring or manual action. Here’s how the team achieved this.

Challenge: delegating wallet permissions while preserving privacy and ownership

Users must delegate specific wallet permissions to Revoke.delegate to enable automatic token approval revocation during an exploit. In this context, delegation means a smart contract account (the delegator) grants specific permissions to another smart contract or externally owned account (the delegatee) to perform defined actions under clearly established rules and conditions.

This process allows Revoke.delegate to securely identify affected token addresses, verify predefined conditions, and revoke approvals by calling the approve() or setApprovalForAll() functions to set allowances to zero.

The primary challenge involves maintaining privacy and self-ownership principles, ensuring users avoid sharing private keys or forfeiting control of their wallets by granting ambiguous permissions. The team also prioritized compatibility with the existing wallet ecosystem to facilitate seamless adoption.

Solution: securely delegate and manage wallet permissions with the Delegation Toolkit (DTK)

Integrating with the Delegation Toolkit (DTK) enabled Revoke.delegate to allow users to delegate wallet permissions while maintaining full self-ownership. Whenever an exploit is reported, Revoke.delegate securely retrieves the user delegations from the Delegation Storage managed by DTK and uses them to revoke token approvals for affected wallets. Here’s a high-level overview of the process:

1. A user connects their wallet to view all existing token approvals.
2. They choose to delegate wallet permissions. Behind the scenes, the createRootDelegation() function is called, specifying the Revoke.delegate smart contract as the delegatee.
3. The required permissions are defined using the addCaveats() function, specifying the approve() method, such as .addCaveat("allowedMethods", ["approve(address,uint256)"]).build().
4. The user signs the new delegation, which is then stored securely in the Delegation Storage managed by DKT.
5. In the event of an exploit, Revoke.delegate retrieves all stored delegations, verifies conditions, and revokes token approvals for affected wallets by calling the approve() or setApprovalForAll() functions to set allowances to zero—all without requiring user action.

Explore the docs to learn more about how the Delegation Toolkit streamlines these processes.

"The Delegation Toolkit helped us ensure users could delegate their wallet permissions without relinquishing ownership." – Ayush & Aashish, Builders of Revoke.delegate and EthGlobal ‘24 Hackathon Winners

By leveraging DTK, the Revoke.delegate team successfully automated token approval revocations, even in cases where users were offline or unaware of an ongoing exploit. Furthermore, since the toolkit natively supports ERC-7579, the team developed a solution compatible with leading wallets in the ecosystem, including Safe, Kernel, and Biconomy Nexus.