How to revoke unlimited approval on Arbitrum Nova (since apparently no one here is following the recommended security guidelines)

This guide applies to everyone who has used a swap on Arbitrum Nova at least once. But even for those of you who haven't swapped before, you will learn better security habits and how to interact with smart contracts by reading this guide.

A few of you might be already aware of the risks of Unlimited Approval for ERC-20 tokens. If you approve of a sender, they can spend your ERC-20 token however they want until the limit you originally set. The recommended guideline is to set an amount just enough for your routine usage, and also periodically review your approved contracts. There are sites like https://etherscan.io/tokenapprovalchecker that help you check and revoke your unlimited spending approvals.

MetaMask even has a guide on it. However, none of these tools and guides apply to Arbitrum Nova.

I've seen a lot of members talk about this security risk from time to time, but no one here is actually following the recommended safety guidelines. Of the last 100 "Approval" transactions on the ArbSubredditPoints contract, all are using the default unlimited spending approval amount.

I'm not trying to scare anyone. I'm pretty sure RCPSwap and SushiSwap are safe. They both have a solid history. But it's bad practice to set unlimited approval. In light of the recent Binance bridge exploit on a thoroughly-audited contract, I think it's better to play it safe. The ArbSubredditPoints contract is upgradeable, so something unexpected could potentially happen to it in the future, though we'll also have bigger things to worry about then.

Transaction costs are currently so low on Arb Nova that the cost to redo your approval amount is under $0.01. So it's super easy to increase it again later.

Since there are no tools/guides for checking and revoking approvals on Arbitrum Nova, I wrote one up:

How to find out if you have an unlimited spending approval

So far, there are only 2 swaps that ask for approval for Reddit Community Points: RCPswap and SushiSwap.

What happens is that when you visit the swap site, if you try to enter an amount of tokens greater than the approved limit, it will ask you to Approve again. Every time you send more tokens to the approved sender address, the amount that you can spend later will decrease by the sent amount.

Checking through MetaMask:

1. The easiest way is to open MetaMask. Then select your Reddit account.
2. Go to your "Activity" tab and look for an "Approve XXX spend limit" transaction. If it doesn't exist, then you're fine. If it does exist, open its details and check the Spend limit amount.
3. That entry also has a "View on block explorer" link to the transaction on the Arbitrum Nova Explorer. Open that link and copy the address under the "spender" field.

That large number is the default unlimited spending amount

The Spender address has approval to access your account tokens

Checking through the Arbitrum Nova Explorer:

1. Find your address on Arb Nova Explorer. It's at https://nova-explorer.arbitrum.io/address/xxxxx where xxxxx is your address.
2. Check your list of transactions to see if you have an "Approve" type transaction
3. If you find an Approve transaction, open it
4. Scroll down to the Input section and look for the "Amount", which is a uint256 number.
5. If the amount looks enormously large (e.g. 115792089237316195423570985008687907853269984665640564039457584007913129639935), then it's set to the default unlimited spending. Multiple the amount by 10^-18 (number of decimal places for Moons) to get the spending approval amount in Moons.
6. Copy the address under the "spender" field.

How to Clear the amount

1. ​

How to find the ArbSubredditPoints contract from the transaction

1. In the "Approve" transaction you opened earlier, click on the address under the "Transaction Details" > "Interacted With (To)" field. It should open the ArbSubredditPoints contract
2. Go to the "Write Proxy" tab
3. Connect your wallet and give it permissions to "See address, account balance, activity and suggest transactions to approve"
4. Find the "approve" function (it should be number 2)

https://preview.redd.it/z4efpw5v73t91.png?1496&format=png&auto=webp&s=054f27d502c63ccde3db0a73a588df7e066db199

1. Every approve function is slightly different. This one will have 2 fields: "spender" and "amount"
2. Set the "spender" to the same spender address you copied earlier that was in your previous approve transaction. For Moons, it'll be one of these 2:
   1. For RCPSwap: 0x28e0f3ebab59a998C4f1019358388B5E2ca92cfA
   2. For SushiSwap: 0x1b02dA8Cb0d097eB8D57A175b88c7D8b47997506
3. Set the "amount" to 0 to remove the approval. You can also enter your expected future trading amount if you trade routinely.
4. Press the "Write" button and sign into MetaMask
5. Before you "Confirm" the transaction, press the "Edit permission" link in MetaMask. It'll tell you exactly how much the amount represents so you can double-check it.
6. Press "Confirm" to send it. The transaction should only take a couple of seconds to confirm.

Use the Edit permission to double-check the amount

Sender addresses

For the record, these are the 2 known "Sender" addresses. They're both called "UniswapV2Router02", but they're deployed by different accounts and have different code. Auditing them is way beyond my knowledge.

• RCPswap > UniswapV2Router02: https://nova-explorer.arbitrum.io/address/0x28e0f3ebab59a998C4f1019358388B5E2ca92cfA
• SushiSwap > UniswapV2Router02: https://nova-explorer.arbitrum.io/address/0x1b02dA8Cb0d097eB8D57A175b88c7D8b47997506

How to find your remaining approval balance (i.e. allowance)

• Visit the Moons contract
• Go to Read Proxy > Allowance
• For Owner, enter your address. For Spender, enter one of the 2 sender addresses listed above (starting with '0x').
• Take away the last 18 digits to get the amount of Moons left in the approval

Edit: Added some redacted screenshots