Unlimited token approvals are granted silently, with no disclosure of the ongoing exposure surface.
Pillar: Agency
The problem
When a user approves a protocol to spend their tokens, the default is unlimited approval. The approval persists indefinitely. It can be exercised any time the contract is called — including after an upgrade or exploit.
The long-term exposure created by a single approval is never disclosed at the moment of signing.
Why it matters
- Agency: I do not know what ongoing rights I have granted over my capital.
- Safety: A single old approval can drain a wallet in a future exploit with no further user interaction.
What exists today
Revoke.cash and similar tools allow post-hoc approval management. ERC-20 permit (EIP-2612) enables scoped approvals but is not enforced by default.
The gap
No standard requiring protocols to request scoped, time-limited approvals by default.
Open questions
- Should approval scope be enforced at the wallet layer or the protocol layer?
- What’s the adoption barrier for EIP-2612 across existing protocols?