Allowance Explained in Detail
Allowance is delegated spending power. The owner calls approve(spender, amount), then the spender can call transferFrom(owner, recipient, amount) up to the approved amount.
Routers, vaults, bridges, and marketplaces often depend on allowances.
Smart contract example
token.approve(router, type(uint256).max);
router.swap(...);
An infinite approval is convenient, but it creates long-lived spending risk.
Allowance in Auditing
Allowance bugs can let spenders drain tokens or fail to spend when expected. Auditors review allowance changes, stale approvals, permit flows, and non-standard token behavior.
Allowance also interacts with the ERC20 approval race condition.
Red flags in code
-
Infinite approvals to untrusted or upgradeable contracts.
-
Allowance is changed from one nonzero value to another without safeguards.
-
transferFromreturn values are ignored. -
Permit and approval flows disagree.
-
Non-standard ERC20 tokens are assumed to behave normally.
How to test or review it
-
Test approve, increase, decrease, and transferFrom paths.
-
Front-run allowance changes in tests where relevant.
-
Test stale approvals after withdraw, cancel, or close flows.
-
Use SafeERC20 for integration-heavy token calls.
-
Include non-standard, fee-on-transfer, and rebasing token cases when supported.