In the world of blockchain and decentralized finance (DeFi), few things are as foundational as the ERC20 token standard. This specification defines how tokens are transferred, approved, and managed on Ethereum Virtual Machine (EVM) blockchains. Most tokens launched today implement some variation of the ERC20 standard.
The Rootstock Collective DAO
In the Rootstock Collective DAO the staking token stRIF and its non-staked counterpart RIF are both ERC20 tokens. To stake your RIF tokens, you must transfer them to the stRIF contract, which then mints an equivalent amount of stRIF tokens in return. However, before this exchange can occur, users must first invoke the approve() method, a concept that frequently raises questions among blockchain newcomers.
What is the approve() method?
The approve() function grants another address (commonly called the “spender”) permission to transfer tokens from your account up to a specified limit. The method takes two parameters:
approve(address spender, uint256 amount)
This approval isn’t a one-time action. Once set, the allowance persists until you either reduce it to zero or update it with a new amount.
When you call approve(), the token contract updates its internal records, noting that “Address A” has permitted “Address B” to transfer a certain number of tokens on A’s behalf. Importantly, approve() itself doesn’t move any tokens—it’s merely an authorization that allows the spender to initiate transfers in the future using the transferFrom() function.
The Power of Separating Approval from Transfer
This separation of the approval process from the actual token transfer is a powerful concept in DeFi.
Let’s illustrate this with our example:
- You hold RIF tokens and want to stake them in the Rootstock Collective DAO to receive stRIF in return.
- Rather than sending your RIF directly to the stRIF contract, you first call the
approve()method on the RIF contract, specifying:- The stRIF contract address as the spender
- The number of RIF tokens you’re authorizing for staking
- Once approved, when you initiate the staking process, the stRIF contract can securely pull exactly that amount of RIF on your behalf, keeping your tokens safer from unintended or unlimited use.
After granting this spending allowance, the actual transfer happens when the transferFrom() function moves your tokens from your address to the stRIF contract. When you call mint() on the stRIF contract with the amount you want to mint, the stRIF contract calls the transferFrom() method on the RIF contract to move those tokens.
This is the critical part, your account doesn’t call the transferFrom() method, the stRIF contract does this on your behalf, using the allowance you granted.
Why Can’t This Be Done in a Single Transaction?
During discussions about this process, users often ask why these actions can’t be batched into a single transaction. There are two primary reasons:
- Order Dependency: The sequence matters—you must call
approve()beforetransferFrom()can be executed. This is a fundamental security feature of the ERC20 standard. - Separate Transactions: These are two distinct operations that must be called independently, requiring the user to sign two separate transactions:
- First transaction: Approving the token spending
- Second transaction: Initiating the token transfer (e.g., staking)
Security Implications and Best Practices
This two-step process, while requiring more user interaction, also offers important security benefits:
- Granular Control: You can approve specific amounts rather than unlimited access
- Revocable Permissions: You can revoke or modify approvals if needed
- Clear Intent: The separation makes the user’s intent explicit at each step
Many modern DeFi interfaces simplify this process for users, but understanding what happens behind the scenes is valuable for anyone working with ERC20 tokens.
Conclusion
The approve() method is a cornerstone of the ERC20 token standard that enables secure, permissioned interactions between users and smart contracts. While it adds an extra step to token operations, this deliberate separation of concerns provides the security foundation upon which the entire DeFi ecosystem is built.
By understanding how approve() works in conjunction with transferFrom(), developers and users can better navigate the complexities of token interactions in blockchain applications.
AI Meets Bitcoin, How Rootstock Powers the Future of Trustless AI | HackerNoon
Using a Gnosis Safe to Upgrade Upgradable Contracts
How we secure the Rootstock Collective's smart contracts
Upgradable Smart Contracts
with Solidity and Hardhat, part 1 of 2.