What is Authorization?

Authorization refers to granting partial token management permissions to a third party, allowing them to execute specific actions without requiring separate approval from the user. The third party here typically includes smart contracts of decentralized applications like decentralized exchanges (DEX), as well as individual wallet addresses.

However, with the rise of different web3 pages, authorization risks have also increased. When users mistakenly authorize malicious contracts or untrusted third parties, their tokens can be put at risk.

Why is Authorization Necessary?

Web3 pages utilize smart contracts to facilitate transactions and operations. To ensure smooth transactions and utilize the full functionality of a web3 page, users need to grant specific permissions to these smart contracts.

For instance, if a user wants to swap USDT for ETH through Tokenlon (provided by Tokenlon)
), they need to authorize their USDT tokens to Tokenlon's exchange contract. This authorization empowers the contract to transfer USDT from the user's address to the exchange contract and subsequently move the successfully swapped ETH to the user's address.

Note: Authorization operations are prevalent on blockchains like Ethereum, Tron, and other Layer2 and EVM-compatible networks.

How to preventing Authorization Scams:

Token authorization is a common operation in blockchain transactions, but it also carries certain risks. We need to exercise caution when reviewing each authorization request, and regularly manage them to safeguard tokens.

Before Authorizing:

  • Conduct thorough research: Do solid research before using a new web3 page. Understand its background, reputation, and development team to ensure its credibility.
  • Verify contract addresses: When using a web3 page, verify the accuracy of contract addresses. Avoid clicking on unclear links or obtaining addresses from unverified sources.
  • Use official channels: Always download apps from official websites, social media, or app stores to prevent malware infection.
  • Guard against phishing attacks: Be cautious of phishing attacks, avoid clicking on unfamiliar links, and refrain from providing personal information or private keys.

After Authorizing:

  • Regularly review authorizations: Periodically inspect authorized contracts and applications, and promptly revoke unnecessary authorizations. imToken supports authorization management through Revoke.cash, including modification and revocation.
  • Apply the principle of “least privilege”: During authorization, set minimal token amounts and the shortest durations whenever possible.
  • Confirm transaction details: Carefully verify transaction details before executing any transaction.