What Is Approval Drainer in Crypto?

An approval drainer is a malicious smart contract that waits for a user to grant it token allowances, then sweeps those tokens into an attacker-controlled wallet. Drainers are sold as crime-as-a-service kits — Inferno, Pink, Angel, Venom — that provide the contract plus a revenue-sharing front-end, so attackers without smart-contract skills can deploy full phishing campaigns. Losses run into hundreds of millions per year across EVM chains and Solana.

Also known as: wallet drainer, token approval drainer, drainer contract, drainer kit

Ask Stingray anything about Approval Drainer

How an approval drainer works

Drainers exploit the permission model of ERC-20 tokens (and equivalents on Solana, Tron, and other chains):

  1. Spoofed dApp front-end. The attacker hosts a fake Uniswap, OpenSea, or airdrop claim site at a look-alike URL (uniswapp.io, opensea-claim.xyz).
  2. The user connects their wallet. Standard WalletConnect or MetaMask flow — nothing suspicious yet.
  3. The signature request. Instead of the transaction the user expected (swap, mint, claim), the drainer asks them to sign approve(drainer_address, max_uint256) for a valuable token — USDC, WETH, a bluechip NFT collection — or setApprovalForAll(drainer_address, true) for NFTs.
  4. The user signs. Wallet UIs often render the permission request in dense hex; most users click through without parsing it.
  5. The drain. The attacker’s contract immediately calls transferFrom on the approved token, sweeping the user’s balance into the attacker’s wallet. Exit funds are laundered through Tornado Cash or cross-chain bridges within minutes.

Variants

  • Permit signature drain. Uses EIP-2612 permit() signatures — a gasless off-chain signature that grants approval. The attacker submits it on-chain when convenient. Particularly dangerous because no gas fee shows up in the user’s wallet to tip them off.
  • Permit2 drain. Uniswap’s Permit2 standard allows one approval to cover multiple tokens; attackers trick users into signing Permit2 grants covering every valuable token in their wallet.
  • Malicious contract logic dressed as something else. A contract that claims to be a staking or claim function internally calls an approval.
  • Seaport / OpenSea order drain. Attackers craft fake NFT listings that, when accepted, sign an order transferring the victim’s NFTs for zero payment.

Drainer kits (crime-as-a-service)

The drainer ecosystem runs as a business:

  • Kit developers build and maintain the drainer contracts, front-ends, and admin dashboards.
  • Affiliates (often “workers” recruited in Telegram) distribute phishing links — fake Twitter giveaways, DM spam, typosquat domains.
  • Revenue split. Typically 70-80% to the affiliate, 20-30% to the kit developer, automatically enforced on-chain.
  • Notable kits. Inferno Drainer (shut down voluntarily in 2023 after ~$80M drained), Pink Drainer, Angel Drainer, Venom, Monkey, Pussy. Several re-spin every few months as old kits are blocklisted.

Defenses

  1. Never sign unknown approvals. If a site asks for approve or setApprovalForAll, assume malicious until you’ve verified the destination contract.
  2. Use a transaction-previewing wallet. Rabby, Pocket Universe, Fire, and Blockaid all simulate the transaction and show the actual state change — asset-out, asset-in, approval targets. Most drains fail obvious previewing.
  3. Revoke old approvals regularly. Revoke.cash, Etherscan’s token approval tool, Debank’s approval scanner. Treat approval revocation like changing smoke-detector batteries: regular hygiene.
  4. Use hot and cold wallet separation. A hot wallet for daily interactions with a small balance; a cold/hardware wallet for long-term holdings that never signs approvals.
  5. Check the approval destination on an explorer. A fresh contract deployed minutes ago with no history is almost always a drainer.
  6. Bookmark dApps you use; never Google them. Search ads and sponsored results are a common drainer distribution channel.

Risks and considerations

Approval drainers are the single largest source of retail crypto loss by volume. The model scales because the user experience is indistinguishable from a legitimate dApp interaction up to the exact moment of signing — and wallet UIs have historically made the destructive nature of approvals illegible to non-technical users. Major improvements have come from transaction-simulation tools and better wallet UX (Rabby, MetaMask’s risk labels), but the attack surface is the entire on-chain permission model. The only durable defense is a combination of disciplined approval hygiene and a hardware-wallet air gap for funds you cannot afford to lose.

See also on Stingray

Related terms

Phishing Phishing in crypto is an attack where someone tricks you into revealing your seed phrase or signing a malicious transaction. Rug Pull A rug pull is a crypto scam where the token's deployer drains the liquidity pool and disappears, leaving holders with a worthless token. Wallet A crypto wallet is a tool that stores private keys and signs transactions on behalf of a user. Self Custody Self-custody means holding your own private keys and bearing full responsibility for their security.