Security - Permission Revoking Service

Revoke.Cash, one of the open-source projects that allow for permission revoking has added RSK support. This is very valuable and very important if you want security. You can connect your wallet and see which of your token addresses you’ve granted permissions to. If one of the token addresses in your wallet has granted permissions it means someone could withdraw funds from your account without you knowing. It’s good practice to consistently review your permissions then revoke them when they’re not in use.

You can read more about the possible attack here: Individual Security Measures - BadgerDAO Attack

6 Likes

I have a few questions on that topic.

  1. Will permission revoking for example on staking SOV or LP-ing affect future transactions/interactions with those pools?
  2. Does that mean that, once we revoke permissions, we’ll have to perform additional transactions interacting with those pools again?
  3. Are there instructions on how to perform permission revoking?
  4. Does Revoke collect any sensitive information about our wallets/addresses (e.g. seed phrases or private keys). How can we verify this?

there’s no way for revoke.cash to extract this data from your wallet unless your wallet is horribly broken already. what you really want to make sure of is that the txs you’re signing are actually revoke transactions and not either new approval txs or send txs – this is true of any tx btw, you want to make sure that the txs you’re signing are actually doing what you think they’re doing.

1 Like

Any plans to move this functionality into the main revoke.cash domain? If so, do you know when that will happen?

1 Like

This is great and makes me wonder if we still need to create our own allowance tracker if there are other options our there popping up

@light thoughts?

I’ve sent this forum post to the developer, Rosco so I am hoping he can respond directly all these points.

1 Like

That would be great, in light of their own advice here:

https://twitter.com/RevokeCash/status/1511810797361631235

I don’t feel comfortable recommending this tool until it’s on their official domain, or they tweet an exception to their tweet above.

1 Like

Hey guys! Revoke.cash developer chiming in here.

Some answers to the questions mentioned above

  1. Will permission revoking for example on staking SOV or LP-ing affect future transactions/interactions with those pools?

Approvals/revoking does not impact existing LP or staking positions. But if you want to stake more tokens, you will need to re-approve the allowances.

  1. Does that mean that, once we revoke permissions, we’ll have to perform additional transactions interacting with those pools again?

If you want to add to your staked / LP position, yes.

  1. Are there instructions on how to perform permission revoking?

You go to https://revoke.cash, connect your wallet (switched to the right chain), look at your allowances, and click “revoke” for the allowances you want to revoke.

  1. Does Revoke collect any sensitive information about our wallets/addresses (e.g. seed phrases or private keys). How can we verify this?

No. As @light mentioned, that would be a huge security flaw in the wallet’s design. Furthermore, no identifying information (such as wallet addresses) are stored either. The code is open source so this can be verified.

what you really want to make sure of is that the txs you’re signing are actually revoke transactions and not either new approval txs or send txs – this is true of any tx btw, you want to make sure that the txs you’re signing are actually doing what you think they’re doing.

Exactly right. If you’re paranoid about using a new service (which you probably should be), you can look at the MetaMask popups, click “Edit Permission” and verify that the website is actually setting the allowance to 0 when revoking.

Any plans to move this functionality into the main revoke.cash domain? If so, do you know when that will happen?

Likely next week.

I don’t feel comfortable recommending this tool until it’s on their official domain, or they tweet an exception to their tweet above.

Absolutely, I agree. I’d recommend “regular” users to wait until I merge this into the main domain (approx some time next week).

7 Likes

Awesome, great contribution! Thanks @rosco

1 Like

Thank you for this response. Appreciate it!

Thank you @light and @rosco

1 Like

Looks like it was merged into the main domain!

2 Likes