revokecash / revoke.cash Goto Github PK

On the NFTs section there's always requests timing out, which is causing them to load much slower than the tokens section. We should investigate and fix this.

Hey! Someone recently reported that there was a scam version of revoke.cash floating around out there at https://revokecash.com/
Looking at it, it actually doesn't seem like a malicious site at first glance. Is this legit, and if so is there a good place to acknowledge its existence?

Perhaps might be better to just replace revokecash.com with a 302 redirect to revoke.cash instead.

Revoke.cash can connect with any EVM network and uses Metamask's injected provider to detect the network (by chain ID). For clarity it makese sense to add a visual indicator to the website that shows what network we're currently connected to.

Currently we get symbol, name and user balance for each token separately. This means that the app uses a lot of RPC calls. This is usually fine since we use the user's Metamask connection, but in case the user isn't using a web3-enabled browser, we fall back to my free-plan Infura key.

A short term solution can be upgrading to the $50 plan, but that only doubles the capacity, and the $225 plan is a bit expensive. So a better long-term solution is drastically reduce the number of RPC calls so that we don't hit the 100k requests limit as easily.

One way to do this is using Etherplex whch enables batch calls. The easiest change is to batch call symbol, name and user balance, but still having separate calls per token. That already cuts the number of calls to 1/3rd of what it is now.

But ideally we'd want to batch every call to every token. This batch call might become too big if there are a lot of tokens, so we'd need to split up all calls in batches of max X tokens. This needs quite some more work than the low hanging 2/3rd improvement.

We're not eligible for Lokalise's Open Source plan. Their free plan only allows 2 team members (i.e. me + 1 translator). We will need to have multiple translators working in parallel, so we need more than 2 seats. Additionally we need at least 2 separate projects (website + browser extension).

Options:

• POEditor (https://poeditor.com/)
  • Free: 1000 total strings + unlimited seats + unlimited projects
  • Cheapest paid: 3000 total strings ($150/y)
• Localazy (https://localazy.com/)
  • Free: 200 source strings + unlimited seats + unlimited projects
  • Cheapest paid: 500 strings ($190/y)
• Alternative: Keep using Lokalise free tier with built-in translation services
  • Free: 500 source strings + 2 seats + unlimited projects
  • Cannot use own translators because of team limits

Other options (e.g. Phrase, Lokalise Paid, Crowdin) are all prohibitively expensive in their paid tiers and don't offer sufficient free functionality.

If you try to revoke https://gnosisscan.io/token/0x71850b7e9ee3f13ab46d67167341e4bdc905eef9, default 118,642 gas limit is insufficient.

If the addresses are in the dapp-address-mapping or in the ethereum-lists registry, they are likely safer than unknown addresses. If they appear in the evm-labels phishing / hacking registry they are certainly unsafe. We could try to communicate this (e.g. using colour codes: green for "known", yellow for "unknown" and red for "known scammers").

Dapp address to name mappings are used to display huma-readable names on revoke.cash (e.g. Aave instead of 0x3dfd23A6c5E8BbcFc9581d2E864a68feb6a076d3). If you spot any 0x... addresses on revoke.cash that you know belong to well-known apps, request them to be added here.

Please provide the following information:

Address: e.g. 0x3dfd23A6c5E8BbcFc9581d2E864a68feb6a076d3
Dapp name: e.g. Aave

If you have any other information about the dapp (e.g. website, type of contract) feel free to provide it as well.

It would be nice to see a (recent) history of approves/revokes.

I don't see any button or links to check or modify allowances.

bad response (status=403, headers={"content-length":"90","content-type":"text/plain; charset=utf-8"}, body="{"jsonrpc":"2.0","error":{"code":-32002,"message":"rejected due to project ID settings"}}\n", requestBody="{"method":"eth_blockNumber","params":[],"id":43,"jsonrpc":"2.0"}", requestMethod="POST", url="https://mainnet.infura.io/v3/88583771d63544aaba1006382275c6f8", code=SERVER_ERROR, version=web/5.6.0)

Something like https://github.com/rarible/order-manager but on an independent platform (like revoke.cash).

Often times when people are checking Revoke.cash they want to see if they recently approved anything, so it would be nice to display the approval date (and maybe even allow sorting by date). However, we'd probably need a pretty significant UI overhaul to present that data in a good way, so this needs more discussion before implementing.

Show price information of tokens to indicate how much money is at stake.

I'm opening this as a way to track the chains that we still need to / want to support but can't right now (due to unsupported nodes / lack of better APIs). This issue will stay open, but I will use it to track new chain support. I will add comments for new chains so that you can signal support with emojis.

Please add a comment on this thread if the chain you want is not on the list yet, or add an emoji to the existing comments to signal that you want support for this chain as well.

Adding a menu for users to add a name or tag to a specific contract, particularly new contracts that do not have or lack identification.

Right now we have the FAQ that provides some decent information, but it would be great to have some more elaborate documentation or even some tutorial videos.

Dapp address to name mappings are used to display huma-readable names on revoke.cash (e.g. Aave instead of 0x3dfd23A6c5E8BbcFc9581d2E864a68feb6a076d3). If you spot any 0x... addresses on revoke.cash that you know belong to well-known apps, request them to be added here.

Please provide the following information:

Address: e.g. 0x3dfd23A6c5E8BbcFc9581d2E864a68feb6a076d3
Dapp name: e.g. Aave

If you have any other information about the dapp (e.g. website, type of contract) feel free to provide it as well.

The old version of Revoke.cash retrieved NFT balances using balanceOf(). This has huge performance issues (2-3 times slower), so in the new version, we derive the asset balance from events.

As it turns out though, the balanceOf() function was a great filter for spam tokens, since a lot of spam NFTs would throw when calling balanceOf().

It's not an option to go back to calling balanceOf(), so it would be very useful to find a different way to detect spam NFTs, besides the other ones already implemented (name + bytecode size checks + alchemy spam list).

This is a fun one. CryptoKitties does not conform to ERC721 at all (which makes sense since it mostly predates it). None of the event parameters are indexed, making it fundamentally impossible to use with the current setup (unlike other semi-ERC721 collections like CryptoStrikers). To support CryptoKitties we would need to add a completely custom code path for it, which does not seem to be worth the effort, but if we can figure out some smart way to go about it, it would be nice to support CK.

Currently the network connection is done with Metamask (falling back to Infura). But many networks (e.g. Polygon and BSC) don't have the public infrastructure to support the historical getLogs requests that revoke.cash uses. For these cases we'd need to figure out an alternative way of getting data from chain. One option could be Covalent, but we need to look into this more.

Regular EOAs cannot do batch revokes, but smart contract wallets should be able to do so. We should be able to detect Gnosis Safe (and potentially other smart contract wallets) and add batch revoke functionality for those wallets specifically.

For Ethereum there's a limit of 10k logs returned at a time. We have a tree-like retry mechanism for those cases, so that covers almost all accounts. However, for other chains where we use Etherscan's API, for which we can receive 10k logs (paginated in 1k-sized pages) logs at a time, which can be prone to timeouts / rate limit issues.

We currently have the throwIfNotErcX() functions that ensure that we're not including any invalid tokens. But we can bring down the number of node requests (and reverts) by pre-filtering the Transfer events based on their topic count (ERC20 transfers has 3 topics, ERC721 has 4).

Revoke.cash for the Moonriver network doesn't appear to be working at this time. However I was able to fix it locally by swapping out the Moonbeam Moonscan API Key for a Moonriver Moonscan API Key. Naturally, that meant that Moonbeam didn't work on my local instance because the Moonbeam and Moonriver Moonscan API keys are different.

I suggest adding a moonriverMoonscan value to the example.env file and making any necessary changes to the hosted Revoke.cash's environment variables.

Currently revoke.cash uses class components almost exclusively (only exception is DonateButton). This should be refactored to use only functional components + hooks. In the process the current components should be pulled further apart as well.

After performing a search, the search results are displayed.

Please also update the URL to a permalink. Then if I share that permalink other people will see the same search results.

All visitors have an HTTP GET to "https://raw.githubusercontent.com/vasa-develop/nft-tokenlist/master/mainnet_curated_tokens.json" the moment they load. Instead of putting this burden on the browser, you can fetch this once serverclient-side and serve the homepage with this data already filled thanks to getStaticProps.

https://nextjs.org/docs/basic-features/data-fetching/get-static-props

If perhaps this list changes, you can even set a revalidate value

The entire website has translations. Except for toast messages. We'll need to add translated messages to those as well.

I think bundling multiple revoke transactions via multicall would be a nice feature to have. It's important that allowFailure is always set to False. If you're interested in a separate Vyper implementation of multicall, I wrote a version here.

When using Polygon chain, I always only get the message "Max rate limit reached" and no approvals are shown.

I would like to search the other way. For a specific address, find all the authorizations they received.

Along with #74, this can be helpful to show an address that is exhibiting unusual behavior. For example, when a phishing scam happens, you can see one address receiving lots of token approvals which they will then go and steal. This page could show those approvals and help as evidence in showing that a scam happened.

Also this is helpful for security research, I am studying a weak contract that received lots of approvals. I need to find some of those approvals to make a PoC exploit.

I get the following error when I scan my account:

I dug into the debugger, seems the token in question is 0x25970282aac735cd4c76f30bfb0bf2bc8dad4e70, an mStable contract. This contract isn't actually a token, but it does have the methods totalSupply and balanceOf, so maybe that has broken something?

Feature request from https://twitter.com/tze42/status/1410663544853610496?s=20

It doesn't load anything for 0x9A6a414D6F3497c05E3b1De90520765fA1E07c03 address.

Have also tried running revoke.cash from source (yarn).

Thoughts?

Every now and then Etherscan API request time out with error "Query timeout occured. Please select a smaller result dataset". This is separate from the expected max 1000 logs that their API returns. We should look into this.

Revoke.cash is currently built on top of react-bootstrap (w/ Bootstrap 4). I prefer using Tailwind instead.

Gnosis Safe has support for WalletConnect, so we'd have to figure out what is needed to function with Gnosis Safe through WalletConnect.

https://0x0.st/iEQg.png

People should be able to choose their network from the website rather than wallet.

Given the ongoing debacle from last night, it'd probably be good to have a copy of revoke.cash on IPFS + an ENS name to easily find it.

I think it's an important utility and it'd be reassuring to have the ENS + IPFS records to know you're dealing with a trustworthy source during a security incident.

Add some more highlighting or different colours to unlimited vs limited allowances.

Hello,
It's potentially risky to has enable the paste wallet address option because the scammer could use it to change to unlimited again 😨

It would be better if you remove that option and only let review and change the amount and the use of the revoke option to only the connected wallet.

Regards

ERC1155 is very similar in interface to ERC721, but there are some differences.

Once we're converted completely to functional components we should update to use web3-react rather than the homebrew solution.

PERX (and perhaps others) do not implement ERC20 correctly (cannot call approve(0x.., 0), only >0). Furthermore they do not use the commonly used names increaseAllowance() and decreaseAllowance() for updating allowances, but instead these functions are called increase|decreaseApproval(). Hard to support such edge cases. Perhaps we could fall back to calling approve(1), which would be very close to revoked.