Tagged

Argent: Solving Dapps’ Dirty Secret

How to not sacrifice your security when using Dapps

Matthew Wright
Mar 24, 2020
Coindesk didn't realise Argent has already solved issue with ERC20 dapp security

CoinDesk recently drew attention to this problem — but they weren’t aware it has been solved

Dapps have a dirty secret: they can often access an unlimited number of tokens from your wallet. Sounds crazy, but that’s the reality behind the innocuous-sounding ERC20 Approve method.

Here’s how we solved it.

First, how could a Dapp access all my tokens?

Traditionally, when your wallet interacts with a Dapp it uses the ERC20 approve method. This gives the Dapp permission to transfer tokens from your wallet, up to a ceiling.

Contrary to the CoinDesk headline, it’s actually not a bug. Asking for such a high amount of tokens was a deliberate design choice: one that prioritized convenience over security. This is because it sought to minimize how many transactions you have to make with the Dapp.

ERC20 security in MetaMask, Trust wallet, Enjin and others.

Here’s how accessing Dapps used to look. Not so welcoming. Or safe. (Image credit: Saturn Network)

The problem, aside from poor user experience, is how insecure it is.

Dapps would usually ask you to approve an insanely high number, e.g. 10⁵⁰. Pretty much unlimited.

You could be wiped out if there was a bug or malicious actor.

What was done about it?

Some people argued that you could inspect a Dapp’s smart contracts to check it wouldn’t steal all your tokens. But this is complex, ignores the risk that developers can upgrade the smart contracts, and doesn’t protect the majority of people who don’t know how to read through a smart contract.

How we solved it

We’ve solved this through two separate approaches to accessing Dapps.

a) Integrating Dapps natively in Argent

We’ve natively integrated a handful of core DeFi Dapps (Maker, Compound, Kyber, Aave, TokenSets and more) — to help you borrow, earn and exchange.

We integrated these at smart contract level and ensured that only the amount requested is approved. And this all happens automatically under the hood — it’s invisible to Argent wallet owners.

Safer, and much easier too.

b) Connecting to desktop Dapps

As well as our native Dapp integrations you can also use Argent to access desktop Dapps. We do this through WalletConnect (a standard for connecting mobile wallets to desktop Dapps).

We’ve customized our WalletConnect integration to make it even safer. There are three main security features, as we wrote in this post.

1. Only approve what you want to spend

Argent detects if a Dapp is requesting a large amount and encourages you to only approve the amount you want to spend.

(We also call it ‘pre-authorize’, not approve, to clarify the process).

2. Protected by your daily transaction limit

With Argent you choose a daily transaction limit. Any transactions that exceed this limit are blocked for 24 hours. You can unblock them with your Guardians (your hardware wallets or friends you trust).

This limit also applies to the amount you pre-authorize a Dapp to take. This means there’s no risk of anyone draining your wallet.

3. Easily revoke a Dapp’s access to a token

Changed your mind about a Dapp? Revoke their access with a tap.


Further reading on our security model

You can learn more about our security here.

Ready to get started with DeFi?

Argent is a simple, secure, all in one wallet for investing in DeFi

Download Argent

Related Blogs

Ask Us Anything

Send like Venmo, invest like Robinhood: the Argent lowdown

The Argent manifesto

Why we build

On a roll: Making Ethereum accessible to all

Solving gas with Layer 2; doubling down on security for Layer 1

Own It

We use 🍪 cookies to personalise your experience on Argent. Privacy Policy

Accept

HQ London, made with ❤️ across Europe