Tokens Aren't in Users' Wallets
Contrary to popular belief, when users 'hold' tokens in a crypto wallet, they're not really holding them there. On platforms like Ethereum and its variants, ERC20 tokens and NFTs (all tokens except ETH), are essentially balance entries inside smart contracts. These smart contracts merely keep a record of the number of tokens each account address possesses. When a user initiates a token transfer, they're simply directing the smart contract to modify this entry, reducing their balance, and increasing the recipient's balance accordingly.
The reality more closely resembles having balances in multiple bank accounts rather than possessing physical currency in a wallet. Users are at the mercy of the smart contract as their balance is just an entry inside it. This method contrasts with native tokens like BTC or ETH, which are not balance entries in a smart contract, and therefore are not at the mercy of a single developer.
The Issue of Spend Approvals
A significant problem arises from the practice of “spend approval” in Decentralized Finance (DeFi) apps, “dApps”. When users wish to use tokens within a dApp, they must provide the dApp permission to spend their tokens, by telling the token smart contract to give the dApp this permission.
Most decentralized exchanges, such as Uniswap, request permission to spend an unlimited amount of a user's tokens, so that they don't have to approve every individual trade. While this makes the user experience less clunky, it also introduces considerable risk. If the dApp that has received approval turns out to be malicious or compromised, it can empty all of a user's tokens without requiring additional consent.
This concern isn't confined to individual platform vulnerabilities; it's a pervasive issue in today's smart contract ecosystems. The current model of token interaction across virtually all smart contract platforms allows for these kinds of risks, and is why third party services like revoke.cash are so popular.
A Case for New Layer 1s and Asset-Oriented Virtual Machines
New Layer 1 smart contract platforms aim to address this by rethinking the way assets are held and transferred. These platforms permit direct asset ownership, where tokens "physically" reside in users' accounts, and when transferred, for instance, to a decentralized exchange, they get "physically" moved from the user's account to the dApp's account during the transaction. As a result, users no longer need to "approve" the dApp to use their tokens because their tokens are no longer just a balance entry in a smart contract.
This paradigm, where tokens are treated as physical objects natively understood by the Layer 1 smart contract platform, employs what is termed an asset-oriented programming environment. The programming environment itself ensures the security of users' tokens, freeing them from dependence on the lines within a developer's smart contract.
Radix, a layer 1 launching smart contract functionality around 27 September 2023 with its “Babylon” mainnet upgrade, is the pioneer of this asset-oriented way of doing things. Because users actually hold tokens inside their account (called a Smart Account), this massively improves security because the token is safeguarded by the virtual machine and eliminates the need for spend approvals. To learn more see the Radix Full Stack website.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.