Controken

Token approvals are a core part of the smart contract ecosystem. Without them, a lot of DeFi applications would not be possible. But there are also risks to token approvals. If you give a smart contract permission to spend your tokens, it can spend them at any time. So if the smart contract is hacked or malicious, your tokens can be stolen.

One of the risks of token approvals is that the smart contract you are granting approval to can be hacked. Besides legitimate projects getting hacked, there are also a lot of scams and phishing attacks in the crypto space. These scams often use approvals to steal your money. Some common phishing scams that use approvals are:

1. Direct Approval to a Scammer: A scammer trick you into approving a smart contract that they control, allowing them to take the money directly from your wallet.
2. NFT Marketplace Listings: A scammer will trick you into signing a signature that lists your assets for sale on an NFT marketplace for 0 ETH, allowing them to "buy" your NFTs for 0 ETH.

Links

• https://github.com/dibakarsutradhar/controken.git

The main challenge I ran into was to index & filter all the internal transaction that fires Approve or ApproveAll events. I got over it by writing couple of functions that loops over the wallet transaction histories and utilises web3.js's getTransactionReceipt, sha3 and decodeLogs.