Security

No Middleman

There is no freaky.fi contract. When you swap, your wallet talks directly to the winning aggregator's own contracts - the same contracts you'd interact with if you went to that aggregator directly. freaky.fi reads their API, builds the transaction, and your wallet executes it. Your tokens are never in our hands.

How Token Approvals Work

Before you can swap a token, you need to approve a contract to move it on your behalf. That's how ERC-20 tokens work - you grant permission, then the contract can transfer up to the approved amount.

It's not uncommon for DeFi interfaces to request unlimited approvals, or for users to manually set them to infinite in wallets like MetaMask or Rabby to save on gas for future swaps. Either way, the result is the same: you've given a contract permission to move as many tokens as it wants, forever. Unlimited approvals are a special case in the ERC-20 standard - the allowance never decreases, no matter how many times you trade. Over $493M has been stolen through these lingering approvals since 2020.

Permit2 - Approvals That Expire

Permit2 solves the approval problem entirely. Developed by Uniswap, deployed across the industry, and battle-tested since 2022, Permit2 replaces the standard approval pattern with signature-based permissions that have built-in expiration dates.

With Permit2, you sign a message instead of submitting an approval transaction. That signature authorizes the exact swap amount and includes a deadline. After the deadline, the permission is invalid - whether you used it or not. Nothing lingers. Nothing to revoke. Nothing to forget about.

freaky.fi uses Permit2 wherever the aggregator supports it. The goal is full Permit2 coverage across all supported aggregators. See current status.

Exact Approvals

For aggregators that don't support Permit2 yet, freaky.fi falls back to exact approvals. Instead of requesting unlimited access to your tokens, it approves the exact amount that will be swapped. If you're swapping 100 USDC, the approval is for 100 USDC. Once the swap executes and uses the full amount, the allowance goes to zero. Nothing left to exploit.

This also overrides any previous approval you may have granted to the same contract. The ERC-20 approve function is a set, not an add - so an exact approval of 100 replaces a previous unlimited approval entirely.

One thing to be aware of: if you approve a swap but don't complete it - you close the tab, reject the transaction in your wallet, or just walk away - the approval is still on-chain. It won't expire on its own. For cases like these, tools like Revoke.cash let you audit and revoke lingering approvals. Learn more in Exact Approvals.

CowSwap - Intent-Based Signing

CowSwap uses a different model entirely. Instead of approving a contract per swap, you approve a single contract - the GPv2VaultRelayer - and then sign orders off-chain. Solvers compete to fill your order in a batch auction, which also protects against MEV (sandwich attacks and frontrunning).

The security model is similar to Permit2 in principle: you trust one audited contract rather than granting approvals to a different contract for every trade. The GPv2VaultRelayer has been live since 2021, handles significant volume, and is the same contract Vitalik Buterin has used to route millions in ETH and token trades.

The key difference from Permit2: the VaultRelayer approval doesn't expire automatically. freaky.fi still requests exact approval amounts when routing through CowSwap, so the exposure is limited to the current swap.