How do DeFi wallet drain attacks work?

Attackers create clones of legitimate DeFi sites or compromise their DNS. When you connect your wallet and try to swap, the site injects a malicious transaction — typically setApprovalForAll() — that grants unlimited access to your tokens and NFTs.

How can I protect my crypto wallet?

Bookmark DeFi sites and only access them through bookmarks. Read every wallet approval request carefully. Use a hardware wallet for an extra confirmation step. Regularly revoke old token approvals at revoke.cash.

Scam #11 · High Threat

One Signature. Entire Wallet. Gone.

The smart contracts were fine. The blockchain was fine. The website was compromised — and that one 'approve' button gave the attacker access to everything in your wallet.

What You Just Experienced

A perfect clone of Uniswap. You connected your wallet to make a swap. The approval popup asked you to sign a transaction — except instead of approving a specific swap, it called "setApprovalForAll()" with unlimited access to every token and NFT in your wallet.

One click. One signature. Everything gone. And the real Uniswap protocol? Completely untouched. The attack happened entirely at the website layer — the frontend you were looking at was compromised or cloned, while the actual blockchain contracts worked exactly as designed.

How This Happens

There are two main methods. First: attackers clone a legitimate DeFi site at a lookalike domain — uniiswap.org, app-uniswap.com, whatever looks close enough. Second, and more dangerous: they actually compromise the DNS or hosting of the real domain, so even the correct URL serves a malicious frontend.

The malicious frontend looks identical. Every button, every chart, every token pair. The only difference is what happens when you click "approve" — instead of the expected transaction, it injects one that gives the attacker a blank check on your wallet.

This is especially dangerous because crypto wallets are designed to show you what you're approving — but most people don't read it. The approval screen shows the contract address, the function being called, and the permissions being granted. If you read it, you'd see "UNLIMITED ACCESS" in plain text. But most people see a familiar-looking popup, think "this is the normal approval step," and sign.

Defense Layer

Bookmark your DeFi sites and only access them through bookmarks. Never click links from Discord, Twitter, Telegram, or email to reach a DeFi platform. Type the URL or use your bookmark. Every time.
Read every approval request. Your wallet shows you what you're signing. If it says "setApprovalForAll" or grants "unlimited" access when you're just trying to swap tokens, reject it.
Use a hardware wallet. It adds a physical confirmation step — you have to look at a screen and press a button. That extra friction gives you a moment to actually read what you're approving.
Revoke old approvals regularly. Tools like revoke.cash let you see and revoke token approvals you've previously granted. Clean house periodically.

If you signed a suspicious transaction: Move all remaining assets to a new wallet immediately — the compromised wallet's approvals can't be undone retroactively for assets already approved. Use revoke.cash to revoke approvals on the compromised wallet. Report the malicious site to the real protocol's team and to Chainabuse.com.

← Replay This Simulation All Scams