Recently, a large number of re-staking, staking, and airdrop users simply clicked a mediocre signature confirmation in the wallet. There was no Approve item, and no gas fee was paid, and the wallet assets were cleared... This is the infamous Permit phishing signature attack!
Usually, attackers imitate official Twitter, Telegram, email, Discord replies or private chats with users to lure users to click on phishing website links with Claim airdrops, pledges, refunds, and welfare activities, and then steal the user's authorized assets through the "Permit" signature in the wallet. This is an offline signature authorization standard that uses the EIP-2612, which allows users to approve without having to own Eth to pay for Gas fees. It can simplify the user's approval process and reduce the risk of errors or delays caused by manual approval processes, but it has also become a common method of phishing attacks.
What is a Permit Signature?
Simply put, in the past we needed Approve before we could transfer tokens to other contracts, but if the contract supports Permit, we can use Permit offline signature to skip Approve and authorize without paying gas. After authorization, the third party has the corresponding control and can transfer the user-authorized assets at any time.
Alice uses the off-chain signature to authorize the protocol. The protocol calls Permit on the chain to obtain authorization, and then can call TransferFrom to transfer the corresponding assets.
Attach permit signature to the transaction for interaction without pre-approval
Off-chain signature, on-chain operations are performed by authorized addresses, and authorized transactions can only be viewed at authorized addresses
It is required to write the relevant methods into the ERC20 token contract. Tokens released before EIP-2612 do not support
After the phishing attacker forges a phishing website, he will use the Permit signature to obtain user authorization. The Permit signature usually contains:
Interactive: Interactive website
Owner: Authorizing party address
Spender: authorized party address
Value: Authorized quantity
Nonce: Random number (anti-replay)
Deadline: expiration date
Once the user signs the Permit signature, the Spender can transfer assets of the corresponding Value within the Deadline.
How to prevent permit signature phishing attacks
1. Do not click on any unfamiliar or untrusted links, and always double-check the correct official channel information.
2. When you open any website and a pop-up window pops up to confirm the wallet signature, do not rush to click on it. Read the interactive URL and signature content that appear above the Singnature request patiently and carefully. If an unfamiliar URL and Permit information containing Spender and Value appear, click [Reject] directly to avoid asset loss.
3. Only the message signature pop-up window that is woken up when logging in or registering is safe and can be clicked to confirm the operation. The style is as follows:
