Revoke Risky Approvals

Ava surfaces unlimited and stale token approvals — the biggest silent risk in most DeFi wallets — and helps you clean them up.

Revoke Risky Approvals#

Most DeFi wallets accumulate token approvals — permissions you granted to contracts to spend your tokens. Some of those approvals are unlimited; many are to contracts you stopped using months ago. If any of those contracts get exploited, the attacker can drain the tokens you approved without ever touching your seed phrase. It's the single most common silent risk in a long-lived DeFi wallet, and almost no one is reviewing it.

What Ava surfaces#

In every portfolio scan, Ava flags:

  • Unlimited approvals (the classic MaxUint256 allowance).
  • Stale approvals — granted but not used in 90+ days. Stale + unlimited is the worst combination.
  • Approvals to unverified or low-reputation contracts.

Each flagged approval shows: which token, which contract, how long ago it was granted, how recently it was used, and the contract's reputation signal.

A typical surfacing#

🟠 You have 7 token approvals that look risky:

  1. Unlimited USDC0xAbCd… (used 0 times in 92 days)
  2. Unlimited WETH0xC0fF… (used 0 times in 187 days)
  3. Unlimited DAI0xDeAd… (unverified contract!)
  4. (4 more)

Want a link to revoke them safely?

How revocation works#

Approval revocation is a transaction you send from your own wallet — not something Ava can do for you under a Guardian permission. (Approvals live on your EOA, not inside the smart-wallet policy.)

Ava gives you a clean, copy-pasteable link to a trusted revocation tool (e.g. revoke.cash) pre-filtered to the flagged approvals. You click, you connect your wallet, you confirm — each revoke is a single transaction. Ava can guide you through it; you do the signing.

Why Ava doesn't auto-revoke#

It would require holding an authorization on your EOA, which is a much broader trust ask than a smart-wallet policy. The right model for approval cleanup is: Ava flags continuously, you act (cheap, easy, your tap). We may add a one-tap revoke flow inside the Telegram chat in the future, gated by per-approval confirmation — but it will never be "auto-revoke everything Ava thinks is risky."

How often to do this#

  • After any major event (a hack/exploit you read about in a protocol you've used).
  • Once a quarter for any wallet you actively use in DeFi.
  • Always before topping up a wallet with significant funds.

Ava's job is to make sure you don't have to remember — it'll surface stale risky approvals every scan.

A common gotcha#

Many "scam wallet drainer" attacks rely on the victim having a stale unlimited approval to a compromised contract. The drain happens via the existing approval; the user signs nothing at attack time — because they already signed the approval months ago. Reviewing stale unlimited approvals quarterly is the single biggest preventative measure most users skip.