Smart wallets should require explicit user approval whenever a contract action can move tokens or native funds from a user’s account without a separate user-signed transfer. This includes on-chain calls that grant or exercise allowances, change operator approvals like setApprovalForAll, or use delegated signatures that enable later transfers.
When prompts are necessary
Wallets must prompt for any transaction that creates or modifies an authorization that a contract can later use to withdraw assets. The ERC-20 standard described by Fabian Vogelsteller and Vitalik Buterin explains the approve/transferFrom pattern that enables third-party spending. For practical guidance, the MetaMask team ConsenSys notes that users should be warned about unlimited allowances and unknown spender addresses. Prompting is particularly important when the contract will gain long-lived or unlimited rights, when the spender is an externally owned account or a contract with opaque logic, or when the operation converts approvals into immediate transfers.
What to show users
A prompt should make explicit consent clear by naming the recipient contract, the permitted amount or scope, and the duration or revocation method. Wallets that surface the contract source, audit history, or linked OpenZeppelin security analyses increase trustworthiness for users who need context before approving powerful permissions. Explicit confirmation reduces the risk of common mistakes such as accidental approvals or blind acceptance of phishing dapps.
Risks, causes, and wider consequences
Technical causes include poor UX leading to blind approvals, malicious contracts exploiting unlimited allowances, and delegated signature schemes that permit later transfer. Consequences range from individual loss of savings to economic harm in communities that depend on wallet-held funds for remittances or small-business liquidity. Research and incidents analyzed by wallet builders and security teams show that improved consent flows materially reduce appropriation events. Wallet design choices therefore have ethical and territorial implications: users in jurisdictions with weak consumer protections may be disproportionately harmed, and cultural norms around trust affect whether users accept complex prompts.
Good practice is to require a specific, detailed prompt whenever a contract can later move funds, to allow limited-scoped approvals, and to provide accessible explanations so users can make informed decisions. Clear consent is both a security control and a respect for user autonomy.