Original source: GoPlus

Editor's note: This article was first published on April 2, 2024. On September 28, Lookonchain published a statement that a certain address lost 12,083.6 spWETH (about $32.33 million) due to a phishing attack. Arkham said that the wallet may be related to Cobo co-founder and CEO Shenyu (@bitfish1). At present, Shenyu has not responded to this. Today, according to Lookonchain, a certain address (possibly related to @ContinueFund) lost 15079 fwDETH (worth $36 million) by signing a "Permit" phishing signature 6 hours ago. Why is Permit signature phishing so powerful that even the big guys in the circle have been hit one after another? This article provides a detailed popular science on this. BlockBeats once again reminds users not to click on any unknown links or sign any unknown signatures.

According to the GoPlus security team, phishing attacks have become the main risk for Web3 individual users to lose the most. Usually, attackers imitate official Twitter, Telegram, email, Discord replies or private chats with users to lure users to click on phishing website links with Claim airdrops, refunds, and welfare activities, and then steal the user's authorized assets through "Permit" signatures in the wallet. This is an offline signature authorization standard using EIP-2612, which allows users to approve without having Eth to pay for Gas fees. It can simplify the user's approval process and reduce the risk of errors or delays caused by manual approval processes, but it has also become a common method of phishing attacks.

What is Permit Signature

In short, in the past we needed Approve before we could transfer tokens to other contracts, but if the contract supports Permit, we can use Permit offline signatures to skip Approve and authorize without paying gas. After authorization, the third party has the corresponding control and can transfer the user's authorized assets at any time.

Alice uses the off-chain signature to authorize the protocol, the protocol calls Permit on the chain to get the authorization, and then can call TransferFrom to transfer the corresponding assets.

1. Attach permit signature to the transaction for interaction, no need for pre-approval

2. Off-chain signature, on-chain operations are performed by authorized addresses, and authorized transactions can only be viewed at authorized addresses

3. Requires relevant methods to be written into the ERC20 token contract, which is not supported by tokens released before EIP-2612

After the phishing attacker forges a phishing website, he will use the Permit signature to obtain user authorization. The Permit signature usually includes:

Interactive: interactive website

Owner: address of the authorizing party

Spender: address of the authorized party

Value: authorized quantity

Nonce: random number (anti-replay)

Deadline: expiration time

Once the user signs the Permit signature, the Spender can transfer the corresponding Value within the Deadline

How to prevent Permit signature phishing attacks

1. Do not click on any unfamiliar or untrusted links, and always confirm the correct official channel information repeatedly.

2. If you open any website and the wallet signature confirmation pop-up window appears, do not rush to click to confirm. Read the interactive URL and signature content that appear above the Singnature request patiently and carefully. Generally, if an unfamiliar URL and Permit contain Spender and Value Permit information, directly click [Reject] to avoid asset loss.

3. The [Message Signature] pop-up window that is awakened when logging in or registering is a safe and clickable confirmation operation. The reference style is as follows:

This article comes from a contribution and does not represent the views of BlockBeats.

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia