Because of the way tokens on Ethereum are designed, in order to use a token (e.g. DAI, WBTC) in a contract interaction, you cannot simply send the tokens along with your transaction as you would be able to with ETH.
Instead, the contract needs your approval to “take” the tokens from you. For example, when supplying 100 DAI to Aave, the Aave protocol smart contract needs your permission (approval) to take 100 DAI from your wallet and supply it to the protocol.
Short summary:
Approvals made to your Smart Wallet are safe (Maker, Reflexer, Smart Savings, Recipe Creator, Smart Wallet variants of Aave and Compound), as only you can access and manage your Smart Wallet.
Approvals done directly to protocol contracts do provide additional exposure to smart contract exploits. In other words, they are safe as long as the underlying protocol is safe (currently, on DeFi Saver, this is only relevant for Account variants of Compound and Aave).
Longer explanation:
Historically, the approval mechanism has been the point of abuse for a number of exploits, especially on relatively new and small projects. The ecosystem found some ways to minimize this risk. One rudimentary way is to split relatively simple action execution contracts away from core protocol contracts. This way, if the more complex core protocol would be hacked, the funds on a user’s wallet would still be safe. This does not eliminate the risk however, as the action execution contracts are still exploitable in theory.
DeFi Saver has chosen to go via a different route, using Smart Wallets for all user positions. Pioneered by Maker, this approach requires the user to deploy a smart contract wallet for themselves. The contract allows only the user to interact with it. It acts as the actual owner and holder of the user’s positions. This approach is safer than the legacy approach of giving permissions to protocol contracts directly, and it also allows the user to execute advanced complex transactions (such as Boost, Repay, Leveraged create, Recipes, etc.). This approach is used by default for Maker Vaults and Reflexer Safes. DeFi Saver additionally allows you to use a Smart Wallet for Aave and Compound protocols as well, bringing additional security and advanced features to them.
Keep in mind, you can always check and revoke the approvals you have given using external apps such as approved.zone. In fact, it is considered good practice to revoke unneeded permissions regularly, or, alternatively, to periodically switch to a new Ethereum address.
