Skip to main content
When you want to pay for a raffle ticket using an ERC20 token (like $POLLY, $USDC, or a partner token), you might see an “Approve” button before you can click “Buy”. This is a standard and important security feature of interacting with smart contracts on EVM-compatible blockchains.

Why is Approval Needed?

  • You Own Your Tokens: By default, a smart contract (like the PollyPrize raffle contract) cannot access or move tokens directly from your wallet. You have sole control.
  • Granting Permission: To pay with an ERC20 token, you need to explicitly grant the raffle contract permission to transfer a specific amount of that token from your wallet to itself when you initiate the purchase.
  • The approve Function: This permission is granted by calling the approve function on the token’s contract, not the raffle contract. You are telling the token contract, “Allow the raffle contract (the spender) to withdraw up to X amount of my tokens.”

How Does it Work?

  1. Click Approve: You click the “Approve [Token Symbol]” button in the PollyPrize interface.
  2. Wallet Confirmation: Your connected wallet (MetaMask, Abstract Wallet, etc.) pops up, showing a transaction details screen. This transaction calls the approve function on the specific token contract (e.g., the $POLLY contract).
    • Spender: It will clearly show the PollyPrize raffle contract address as the “spender” being granted permission.
    • Amount: Modern dApps often request approval for a very large amount (maxUint256) or the exact amount needed for the transaction. Approving a large amount is convenient as you only need to do it once per token per dApp, but be aware of the implications (see warning below). PollyPrize might request approval only for the cost of the tickets you are currently buying.
  3. Confirm Transaction: You approve the transaction in your wallet, paying a small gas fee.
  4. Permission Granted: Once the transaction is confirmed on the blockchain, the token contract records that the PollyPrize contract is allowed to withdraw the specified amount from your balance.
  5. Buy Button Enabled: The PollyPrize interface detects the successful approval, and the “Buy Tickets” button becomes active. When you click “Buy Tickets”, the raffle contract can now successfully call transferFrom on the token contract to pull the payment from your wallet.
Security Note on Approvals: Be cautious about approving unlimited amounts (maxUint256) to contracts you don’t fully trust. While convenient, if that contract were ever compromised, an attacker could potentially drain all of your approved tokens. Approving only the necessary amount for each transaction is safer but less convenient. This is what we chose to implement for PollyPrize.