Why Do Old Token Approvals Stay Active After an App Is No Longer Used?
Someone tries a new app once, connects their wallet, grants the permissions it asks for, and never opens it again. Months later, that forgotten app can still technically move funds from that wallet, simply because nothing ever told the permission to stop.
The short answer
Token approvals don’t expire on their own just because the app that requested them stops being used. A token approval is a standing instruction recorded on the blockchain that stays active indefinitely — through inactivity, an app shutting down, or even a change in ownership of that app — until the wallet holder takes a separate action to revoke it.
Why permissions work this way in the first place
Decentralized apps ask for wallet spending permissions so they can move tokens on a user’s behalf without requiring a manual approval for every single transaction, which makes routine activity like swaps or repeated interactions much smoother. To make that convenience work, many apps request a broad, ongoing approval rather than a one-time authorization, and that approval is written to the blockchain as a persistent instruction — not tied to how often the app is opened or whether it’s still being maintained.
What “still active” actually means
An approval sitting unused isn’t dormant in any functional sense — it’s a live instruction sitting on-chain, fully capable of being used the moment the right transaction is submitted with it. Nothing about a wallet’s activity, an app going offline, or the passage of time changes that fact. The approval only stops working once the wallet holder submits a transaction that specifically revokes it, which is itself a deliberate action rather than something that happens passively.
Why this becomes a real risk over time
- App abandonment doesn’t remove risk. A shut-down app’s smart contract can still be active or, worse, taken over or exploited by someone else entirely, and the standing approval remains usable regardless.
- Compromised contracts can exploit old approvals. If a contract that previously had legitimate access is later compromised, any wallet that never revoked its approval remains exposed, a mechanic closely related to how a wallet drainer script uses approvals to move funds without needing a fresh signature.
- Forgotten permissions accumulate. Someone who has tried dozens of apps over time may have dozens of standing approvals they no longer remember granting, each one a separate point of exposure.
- Approvals aren’t visible by default. Most wallets don’t surface a running list of active approvals prominently, so the risk tends to stay invisible unless someone actively goes looking for it.
Why this differs from other kinds of digital permissions
This is a meaningfully different model from, say, an API key with limited permissions that a platform can revoke centrally on a user’s behalf. On a blockchain, there’s no central authority who can revoke an approval for someone — only the wallet holder who granted it can undo it, using their own wallet to submit the revocation transaction, which typically requires paying a small network fee for the privilege of removing access that cost nothing extra to grant in the first place.
The takeaway
An old token approval doesn’t fade away with disuse — it sits active until someone deliberately revokes it, regardless of whether the app behind it is still running, abandoned, or compromised. Periodically reviewing which apps hold standing approvals is one of the more overlooked forms of basic wallet hygiene, precisely because nothing about the system prompts that review automatically.