Heads up to anyone trying this, when you connect via Plug Wallet, SSS requests a Global Delegation, not a scoped one. That’s worth understanding before you approve it.
Scoped delegation (what most dApps use): The dApp can only call canisters listed in a specific whitelist, typically just its own backend. This is the standard, safe approach.
Global delegation (what SSS requests): No canister restrictions. The dApp’s session key can make calls to any canister on the IC as your identity, including every token ledger you hold balances on.
In practice, that means if you approve this, the dApp could call icrc1_transfer on any ICRC-1 ledger as you and move your tokens wherever it wants, with no further approval needed from Plug.
There’s no legitimate performance reason for a DEX to need this. Scoped delegations already allow instant trade execution without per-transaction popups. A properly integrated dApp uses requestConnect with a whitelist and createActor through Plug’s API. Global delegation bypasses all of Plug’s built-in security filtering.
Maybe the SSS team just didn’t integrate Plug properly and this is an oversight rather than anything malicious, but either way, I’d hold off on approving it until they fix their integration to use scoped delegations. Or at minimum, use a fresh wallet with funds you’re comfortable losing.
References for anyone who wants to dig deeper: