AI agents are making Web3 easier to use, but they can also be exploited by attackers. Legacy contracts and historical approvals that were once difficult to inspect at scale can now be scanned and exploited more easily with automated tools.
Recently, a DApp project experienced a security incident related to an old contract. The project’s legacy contract on TRON had been deprecated in 2022, but attackers recently exploited a historical vulnerability in it, causing asset losses for users who had previously interacted with the contract.
Case Study
A few years ago, a user named Mike used a third-party DApp to swap tokens. For convenience, he granted the DApp unlimited access to his USDT. Later, the DApp upgraded and migrated to a new contract, and Mike gradually forgot about the approval.
Recently, Mike found that all the USDT in his wallet had been transferred out. After checking, he confirmed that he had not visited any suspicious links recently. The issue came from the approval he had granted years ago: attackers exploited a historical vulnerability in the old contract and transferred his assets through a contract call.
Why Can Legacy Contracts and Historical Approvals Become Risks?
1. On-chain records remain permanent
Once a smart contract is deployed, it usually cannot be deleted. Similarly, a user’s token approval remains valid until it is actively revoked. In other words, when an old DApp, contract, or protocol goes offline, it does not mean the on-chain risk has disappeared. The related legacy contract may still retain permission to access the user’s assets.
2. A false sense of security from “well-known projects”
Many users assume that if they once interacted with a well-known DApp, there should be no risk. However, security is an ongoing process. Early contracts may contain technical limitations or vulnerabilities that were not discovered at the time. Even if the project later upgrades to a new contract, the deprecated contract may still become a hidden on-chain risk.
3. Lower cost of automated attacks
In the past, low-activity legacy contracts were often overlooked because manual inspection was costly. With the development of AI-powered contract scanning, vulnerability verification, and other automated tools, attackers can now screen legacy contracts and low-maintenance projects at a much lower cost.
This means that some long-dormant vulnerabilities may be rediscovered and exploited. As long as historical approvals remain active, related assets may still be exposed to potential risks.
PSA:
1. Regularly check and clean up historical approvals
We recommend reviewing your wallet approval records regularly. If you find any of the following situations, revoke the approval ASAP:
- High-risk targets: Approvals granted to unknown contracts / personal addresses, or contracts impersonating well-known DApps. You can check them on a blockchain explorer. For example, a contract that was deployed recently or has very few calls may be considered high risk.
- Excessive approvals: The approved amount is “unlimited” or clearly exceeds what is needed for the transaction.
- Outdated approvals: The approval was granted a long time ago, and the DApp is no longer in use.
How to check and revoke approvals:
- TRON wallet: Open the imToken home page -> swipe left on the function bar -> tap “Revoke” to view and revoke approvals.
- EVM and Layer2 wallets: Search for Revoke.cash on the imToken “Browser” page, connect your wallet, then check and revoke approvals.
- Guide: Please refer to Security Alert | Beware of Token Approval Scams.
2. Build the habit of approving only what you need
- Avoid default settings: When using DApps, try to avoid “unlimited approval.” Manually change the approval amount to the actual amount needed for the current transaction.
- Revoke after use: For low-frequency or trial-use projects, we recommend using a dedicated address and revoking approvals right after use.
- Clean up regularly: Make it a habit to review your wallet from time to time. For addresses you no longer use, revoke all existing approvals. For frequently used addresses, regularly revoke suspicious or unused approvals.
3. Follow official announcements and beware of secondary scams
After a security incident, scammers often impersonate customer support or security teams, claiming they can provide “asset recovery” or “compensation registration” services. Please remember:
- Any request for your private key or mnemonic phrase is a scam.
- Any third-party link that asks you to verify your wallet address or asset ownership, but actually tricks you into granting a large or unlimited token approval, is a scam.
- Anyone who walks you through downloading a wallet app and asks you to create or import a wallet to receive so-called compensation is a scam.
- For all compensation-related information, always refer to the project’s official channels. Do not trust private messages from strangers.
imToken Is Always Protecting Your Token Security
In March, imToken marked a total of 12,227 risky tokens, banned 552 risky DApp websites and flagged 349 risky addresses.
If you encounter any suspicious tokens or DApps, please report them to us at support@token.im to help protect other users.
Closing Thoughts
Scams are constantly evolving, and it can be difficult for everyday users to stay fully protected. imToken is committed to detecting threats quickly, developing solutions, and keeping the community informed through timely alerts and education—so we can reduce losses and improve overall crypto safety.
We invite you to read and share the imToken Wallet Security Monthly Report, and work with imToken to keep every token safe.