How Do You Revoke Token Approvals? A 2026 Walkthrough Using Revoke.cash and Etherscan

A lot of people assume most on-chain theft comes from leaked seed phrases. From what I’ve seen between 2024 and 2026, forgotten token approvals are the bigger drain. An “unlimited” approval signed in 2022 is still sitting there, and the second any USDC lands in your wallet, an old contract can sweep it. Revoking approvals is not a black-belt move, but it has to be done regularly. This post walks through two paths — Revoke.cash and Etherscan — so a beginner can clean their multi-chain wallets in about thirty minutes.

What an approval actually is

The ERC-20 transfer model is nothing like a credit card. When you “swap USDC for ETH on Uniswap”, that one click is really two transactions:

1. First approve(Uniswap_Router, amount) — tell the USDC contract that Uniswap may pull up to X USDC from your account
2. Then swap(...) — Uniswap calls transferFrom to actually pull the tokens

The trouble lies in the amount field. Almost every frontend defaults to 2^256 - 1, effectively “infinity” — so users don’t have to sign twice on every trade. Convenient, but the price is:

• The approval is permanent until you revoke it
• If that Uniswap router ever gets compromised, spoofed, or its frontend hijacked, it can drain every USDC in your wallet in a single transaction
• Even if you move the tokens out, the approval persists; any new USDC you receive can still be pulled

That’s why the MetaMask phishing defense post hammers on reading signature contents — that little word “unlimited” is your true downside.

Path A: Revoke.cash (recommended for most people)

Revoke.cash is the longest-running tool in this space — free, open source, dozens of chains. The flow is dead simple:

1. Open revoke.cash and double-check the domain; do not click search-engine ads
2. Connect a wallet (or use read-only mode by pasting an address — safer)
3. Pick a chain — Ethereum, Arbitrum, Base, Optimism, Polygon, BNB Chain, Avalanche, all covered
4. Wait a few seconds for the page to list every active approval: token, spender, remaining allowance, last interaction
5. Hit Revoke on the ones you want gone, sign in the wallet, done

Each revoke is an on-chain transaction with gas. Mainnet currently runs $1-3 per revoke, L2s cost cents. My personal cadence: clear all Layer 2 approvals quarterly, mainnet semi-annually.

Path B: Etherscan’s built-in token-approval-checker

Etherscan’s Token Approval Checker lives in the More menu on any address page, or directly at etherscan.io/tokenapprovalchecker. This route suits:

• People uncomfortable connecting to Revoke.cash (it doesn’t request token approvals, but trust takes time)
• Operators who already live in Etherscan
• Anyone reconciling a historical approve transaction hash

How it works:

1. Paste your wallet address or connect
2. The page lists every approval with Approved Amount, Last Updated timestamp, and the spender contract source-code link
3. Click Revoke and Etherscan deep-links your wallet to send approve(spender, 0) — literally zeroing the allowance
4. Sign, confirm, refresh, the allowance shows 0

Etherscan’s strength is authoritative data — you can click into the spender contract, inspect the source, and check if it’s been flagged. The weakness is one chain at a time — multi-chain users have to switch network repeatedly, where Revoke.cash is friendlier.

Path C: Wallet-native approval managers (Rabby, MetaMask 2026)

In 2025 Rabby rolled approval management into its “Approvals” menu, and MetaMask 2026.x followed. The flow mirrors Revoke.cash, with three differences:

• Native managers don’t require visiting a third-party site, smaller phishing surface
• They show only the currently selected chain — multi-chain still means manual switching
• Rabby color-codes by spender risk tier (blacklist / greylist / whitelist), more intuitive than a flat list
• See Rabby vs MetaMask if you’re picking one

If Rabby is your daily driver, treat the built-in tool as a weekly check-in and Revoke.cash as the quarterly deep-clean — their data sources differ slightly, so they cross-check each other.

Details people miss

One, setApprovalForAll for NFTs is more dangerous than ERC-20 approve. A single approval can sweep every BAYC, CryptoPunk, or Pudgy Penguin under the same contract. Revoke.cash flags these in red — handle them before ERC-20s.

Two, Permit2 doesn’t appear in the standard approval list. Uniswap’s Permit2 routes allowances through a central contract — the on-chain approval is to Permit2, while Permit2 itself stores a second layer of signed allowances that must be revoked from app.uniswap.org’s Permit2 page. Most tutorials skip this.

Three, not every stale approval is worth revoking. If the remaining allowance is 100 wei it’s not worth gas. If the contract is a major DEX you’ll use again next week, revoking now means re-approving and paying gas twice. My rule: risk × asset size > 10× gas cost before I act.

Four, a clean wallet stays clean for about a week. Every new protocol, every airdrop claim, every bridge spawns fresh approvals. The habit “check Revoke.cash after every new protocol” beats a quarterly mega-cleanup.

My personal cadence

Here is the checklist I’ve been running for two years — feel free to copy:

• Monthly: open Revoke.cash, scan mainnet plus heavily used L2s, act on every P0/P1
• Quarterly: nuke every approval on L2s that hasn’t been touched in six months — gas is negligible
• Semi-annually: full mainnet sweep, including Permit2 and NFT setApprovalForAll
• Before any large deposit: run Revoke.cash to confirm no stale approval is waiting to siphon the new funds

Once this rhythm clicks, the remaining 95% of your security exposure shifts back to seed phrase hygiene and phishing recognition — not a three-year-old approve that quietly empties your balance.