That night, the market was pretty quiet. Bored, I decided to put some idle coins into a certain lending protocol to earn a little yield. I opened the app, selected deposit, and a wallet popup appeared—there was only one button on the screen: Approve.

My finger paused there. Approve what? The interface looked fine, but that button always gives the impression of signing a blank check. That moment of hesitation actually touched on the root of most wallet risks.

In DeFi, playing with collateral, lending, or staking works like this: you want to lock tokens into a protocol, but not by directly transferring them. Instead, you first give the smart contract permission—allowing it to take tokens from your wallet when certain conditions are met. This is called Allowance in the industry, or approval of the limit. For example, participating in a staking mining project requires collateral assets to generate stablecoins, which are then staked to earn yields. You need to first grant permission to the protocol’s contract, letting it move your collateral.

Here’s a detail that’s easy to overlook: almost all mainstream tokens—stablecoins, most altcoins, cross-chain wrapped tokens—adhere to the ERC-20 standard and require this approval step. Only native chain tokens like ETH can usually bypass it. So you might have already approved many times without paying special attention.

Worse still, many wallets default to granting unlimited approval—equivalent to handing over the keys and making it valid forever. This means that if the contract gets hacked or someone launches an attack, your assets could be drained infinitely.