Short answer

Most ERC-20 and ERC-721 approvals do not auto-expire. Once granted, they persist until you explicitly revoke them. The exceptions: Permit (EIP-2612) signatures include a deadline parameter — that signature expires at the specified time. Permit2 signatures also have a deadline. But classic setApprovalForAll and ERC-20 approve calls have no expiration; an approval from 2021 is still valid today.

The three approval types

ERC-20 approve. Standard "approve unlimited" used by most DEX integrations pre-2023. No expiration. Approval persists across years. Revocable only via explicit revoke transaction.

ERC-721 setApprovalForAll. Used by NFT marketplaces (OpenSea, LooksRare). Boolean — true grants, false revokes. No expiration. Approval persists indefinitely until manually toggled.

EIP-2612 Permit / Permit2 (EIP-2612 extended). Off-chain signature with embedded deadline. Signed in 2024 with deadline 1 hour out → expires after 1 hour. Signed with deadline 1 year out → expires after 1 year. Signed with deadline 2099 → effectively never.

Why this matters

An approval granted in 2021 to a DEX you no longer use is still active. If that DEX's contract is later compromised (Multichain 2023, Curve 2023, etc.), the attacker can use your old approval to drain that token from your wallet — three years after you forgot you granted it.

This is the central reason for the quarterly revoke.cash hygiene habit. The longer approvals sit, the larger your exposed attack surface.

What auto-expires safely

Modern Permit and Permit2 implementations usually set short deadlines (1 hour to 30 days). The Uniswap V3 frontend, for example, prompts a Permit2 signature with a 30-day deadline by default. After 30 days, that specific signature can't be used.

But that's per-signature, not per-token. A new Permit2 signature for the same token works fine; the old one being expired doesn't disable your ability to grant new ones.

The misconception trap

Many users believe approvals "expire when I disconnect the wallet" or "expire when I close the dApp." Neither is true. Connection state lives in your wallet UI; approvals live on-chain. Disconnect, reconnect, close, reopen — the on-chain approval is unaffected.

The only safe assumption

Treat every approval as permanent until you revoke it. Run revoke.cash quarterly. Revoke approvals to contracts you no longer use. Especially revoke "unlimited" approvals — they're the highest-risk category.

For long-term storage addresses that should never grant approvals: keep them on a hardware wallet, never connect them to any dApp. The approval surface is zero if you never sign an approval.

Further reading: revoke.cash, EIP-2612 Permit.