If you are not yet convinced that you should NOT be approving infinite tokens to some random smart contract/Dapp, here’s a story of how Jhon Doe lost $140K worth of UNI in their sleep.
1/
👇
Jhon sees a fancy new farming scheme called UniCats, and decides to put some money in. Who knows, it might be the next YFI
https://etherscan.io/address/0xb246bcd5baac8e342941d0f803d528b6668e42cd
Jhon decides to deposit some $UNI, and gets the good old “Allow this Dapp to spend your UNI” message from Metamask, and thinks. “Oh, this again. Yeah, all the farming Dapps do that, why not 🤷‍♂️

And approves the transaction
What Jhon doesn’t know, is that once you approved the contract to use ∞ tokens, the contract can take their tokens at any time. Even after they were withdrawn from the farming scheme.
Introducing UniCat 👿, the owner of the UniCats farm. UniCat is a greedy bastard. Not only was the whole thing a rug pull and a scam, it also wants to go after all the approved tokens of the users.
UniCat adds a backdoor to the farming contract. Anyone who is the owner can call the "setGovernance" method, with the privilege to call any passed data, to any address.
So UniCat calls the setGovernance method, with a call to the UNI token, and the instruction to transfer Jhon’s tokens to the farm.
The passed tokens are then swapped to ETH on Uniswap.

https://ethtx.info/mainnet/0x479f2ad79b096c4f30eae9a82785bf43bd3c908a1557a3e6e87405668980222f
Epiloge:
If you have ever used the UniCats contract, make sure to revoke every! token you have approved using tools e.g. https://tac.dappstar.io/#/ 

Never approve more than you need especially for unaudited contracts

Read our blog on how #baDAPProve works https://medium.com/zengo/badapprove-defis-open-secret-security-issue-and-how-zengo-solves-it-4eb8693a7978
You can follow @amanusk_.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: