The setApprovalForAll Debt: Auditing and Revoking NFT Approvals

You've listed on OpenSea 4 times, Blur twice, LooksRare once. You now have 7 active unlimited approvals sitting on-chain — none of which you can see in your wallet, none of which disappeared when you disconnected, and all of which an attacker only needs one compromised operator address to exploit. That is the setApprovalForAll debt, and most collectors have no idea how large it has grown.

This is Part 3 of the NFT Security Masterclass. Part 1 covered signature types and Part 2 covered blind signing on hardware wallets. Here we move from understanding what you sign to erasing the permissions that outlive every transaction.

What You Actually Signed

The ERC-721 standard provides two distinct approval mechanisms, and understanding the difference is the foundation of everything that follows.

approve(address operator, uint256 tokenId) grants one address the right to transfer one specific token. It is narrow, scoped, and relatively low-risk.

setApprovalForAll(address operator, bool approved) grants one address the right to transfer every token in the collection — every token you currently hold and every token you acquire in the future — for as long as approved remains true. There is no expiry. There is no cap. There is no automatic cleanup.

Every time you click "List" on a marketplace and your wallet asks you to sign a transaction (not just a message — a transaction with gas), you are almost certainly calling setApprovalForAll. The marketplace operator address receives blanket authority so that when a buyer accepts your listing, the contract can move the NFT without requiring another approval from you. This is architecturally necessary for the marketplace flow to work. It is also a permission that persists indefinitely after the listing expires, after the item sells, after you stop using the platform entirely.

ERC-1155 is more aggressive: the standard does not include a per-token approve function at all. setApprovalForAll is the only transfer authorization mechanism available. Every ERC-1155 interaction that requires moving tokens on your behalf requires a blanket collection approval.

The Operator Addresses You Have Approved

Knowing which contracts hold your approvals requires recognizing the addresses involved. The major marketplace operators on Ethereum mainnet:

OpenSea Seaport Conduit: 0x1E0049783F008A0085193E00003D00cd54003c71 Labeled "OpenSea: Conduit" on Etherscan. This is the conduit through which Seaport routes transfers. The ConduitController at 0x00000000F9490004C11Cef243f5400493c00Ad63 manages channel access within each conduit.

Blur ExecutionDelegate: 0x00000000000111AbE46ff893f3B2fdF1F759a8A8 Blur's equivalent infrastructure for handling transfers. Note that Blur may deploy versioned delegates over time; always verify against current platform documentation before revoking in a live-trading context.

These addresses are legitimate. The security problem is not that they are malicious — it is that the approval you granted them is permanent and collection-wide. If either platform were ever compromised at the operator level, or if you interacted with a phishing site that tricked you into approving a malicious address formatted to look like one of these, the grant gives an attacker everything they need.

No private keys involved. No seed phrase compromise required. The approval alone is sufficient.

How Approvals Become Attack Surface

The most common exploitation path:

1. You approve a malicious operator address, either through a phishing transaction disguised as a legitimate listing, or through a compromised marketplace contract.
2. The attacker's contract calls transferFrom(yourAddress, attackerAddress, tokenId) for every token in the approved collection.
3. Your NFTs move to the attacker's wallet. Your wallet balance shows zero. You never signed a transfer.

The secondary path — more insidious — involves legitimate but stale approvals:

1. A platform you approved months ago suffers a smart contract exploit.
2. The attacker gains control of the operator address or discovers a reentrancy path through the approved contract.
3. Every wallet that ever granted setApprovalForAll to that address is now drainable.

The critical behavioral fact: wallet disconnection does absolutely nothing to approvals. Approvals live on the blockchain, not in your browser session. Closing the tab, revoking site permissions in MetaMask, even resetting your wallet's connected sites list — none of these actions modify the on-chain approval state. Only an on-chain revoke transaction, calling setApprovalForAll(operator, false), removes the grant.

Auditing Your Approvals: Two Methods

Method 1: revoke.cash (Recommended)

revoke.cash supports more than 100 EVM networks and presents your active approvals in a readable interface. Their own framing is accurate: with approvals, no one needs to steal your keys to take your tokens.

Step-by-step walkthrough:

1. Navigate to revoke.cash and connect your wallet. The connection is read-only for the audit phase — it does not grant any permissions.
2. Select the network you want to audit. Start with Ethereum mainnet, then repeat for any chain where you hold NFTs (Polygon, Arbitrum, Base, etc.).
3. The dashboard loads your active approvals across ERC-20, ERC-721, and ERC-1155 contracts. Filter by token type — select NFTs to isolate the relevant approvals.
4. Review each row: the approved contract address, the collection it covers, when it was granted, and whether the approval is still active (i.e., you still hold tokens in that collection, or the collection itself still exists).
5. Identify approvals to revoke: any address you do not recognize, any platform you no longer use, and critically, any approval where the operator address is not labeled as a known marketplace by Etherscan.
6. For individual revokes, click "Revoke" on each row and confirm the transaction in your wallet. This calls setApprovalForAll(operator, false) on your behalf.
7. For batch revokes, revoke.cash charges approximately $1.50 for the batch processing service — a worthwhile cost if you have many stale approvals and want to minimize individual transaction overhead.

Gas per revoke on Ethereum mainnet runs approximately 50,000–80,000 gas. At 20 gwei and $3,000 ETH, that is roughly $3–5 per revoke. For bulk cleanup across many collections, executing revokes on Arbitrum, Polygon, or Base — where the same contracts often have mirrored approvals — can reduce costs significantly before bridging back.

Method 2: Etherscan Token Approval Checker

For users who prefer direct on-chain verification without a third-party interface:

1. Go to etherscan.io and navigate to your wallet address.
2. Select the "Token Approvals" tab.
3. Filter by ERC-721 and ERC-1155 to see NFT-specific grants.
4. Each row shows the approved spender address and the approved token. Click "Revoke" to initiate the on-chain transaction directly through Etherscan's interface.

This method is more manual and does not aggregate across networks, but requires trusting only Etherscan rather than a third-party aggregator.

Why There Is No Automatic Fix

For ERC-20 tokens, Uniswap's Permit2 system introduced time-bounded allowances — approvals that expire automatically after a set window. This is a meaningful improvement for fungible token interactions.

No equivalent mechanism exists for ERC-721 or ERC-1155. The standards do not include expiry parameters in setApprovalForAll. There is no protocol-level automatic cleanup. Manual revocation is, as of now, the only mitigation available to collectors. This is a known gap in the NFT permission model, and until standards evolve or platforms adopt off-chain signature-based flows for all transfers, the responsibility falls entirely on the holder.

Some newer marketplace implementations are moving toward order-based signatures that do not require persistent approvals — a direction worth monitoring. But for every existing approval already on-chain, manual revocation remains the only path to closure.

Emergency Protocol: Post-Compromise Priority

If you suspect your wallet has been compromised or you have just experienced a drain, the order of operations matters:

First: revoke all active approvals immediately.

An attacker holding an active setApprovalForAll grant against a collection can continue draining tokens even after you have changed passwords, revoked site connections, and moved assets to a new address — as long as tokens remain in the original wallet and the approval stands. Revoking approvals cuts off the ongoing access vector before you begin asset recovery.

Use revoke.cash's emergency mode or the Etherscan checker to identify and revoke as fast as possible. Prioritize high-value collections and collections with many tokens first.

After revoking, move remaining assets to a fresh wallet address. Consider the compromised address permanently tainted — do not continue using it as a primary holding address even after cleanup. The hardware wallet threat model article covers the broader framework for compartmentalizing after a compromise.

Hygiene as Routine: The Quarterly Framework

Approval hygiene is not a one-time event. Every platform interaction, every new chain you explore, and every marketplace you try adds to the accumulation. Building a scheduled review into your collector practice keeps the debt manageable.

Quarterly Approval Audit Checklist:

Month 1 (Full audit):

• Connect to revoke.cash and audit every network where you hold or have held NFTs.
• Revoke all approvals for platforms you no longer use.
• Revoke all approvals for collections you no longer hold (the approval persists even if you sold every token).
• Document the legitimate approvals you choose to keep — known marketplace addresses for active listings.

Month 4 (Spot check):

• Re-audit Ethereum mainnet and your primary L2.
• Check for any new approvals added since last quarter.
• Verify that kept approvals still correspond to active, legitimate platforms.

After any significant marketplace activity:

• Log the approval you just granted (operator address + collection).
• Set a calendar reminder for 90 days to check whether the listing is still active or should be revoked.

After any security incident in the NFT ecosystem:

• If a platform you have approved announces a contract exploit, revoke immediately — do not wait for quarterly review.
• Monitor Etherscan's labeled addresses: if a previously trusted operator label changes or becomes flagged, revoke.

The goal is not zero approvals — an active trader on multiple platforms will always carry some. The goal is zero unexamined approvals: every active grant should be one you consciously chose to keep and can name a reason for.

The setApprovalForAll debt grows silently with every platform you explore. Auditing and pruning it quarterly is the single highest-leverage maintenance act available to a serious collector — more impactful than any password rotation, and addressing an attack surface that hardware wallets alone cannot protect you from once the grant is made.