A crypto user recently lost over $11 million worth of aEthMKR and Pendle USDe tokens due to a phishing scam, as reported by Scam Sniffer. The victim, who is a MakerDAO governance delegate according to Arkham Intelligence, fell prey to a series of fraudulent Permit signatures. This incident highlights the significant risks associated with EIP-2612, a protocol that allows for permit signatures to authorize transactions without on-chain verification.

How the Scam Worked

Permit Signatures:EIP-2612: This Ethereum Improvement Proposal allows users to generate authorization signatures without needing prior on-chain approval. While this can streamline transactions, it also introduces vulnerabilities.Off-Chain Authorization: These signatures can be created and used without being broadcasted to the blockchain, making it challenging to detect fraudulent activities.Phishing Attack:Fake Websites: Scammers create websites that appear legitimate to trick victims into signing permits.Deceptive Authorization: Once a victim signs a permit on these fake sites, scammers gain control over their assets without needing further on-chain interaction.

Risks and Vulnerabilities

Signature Risks: As highlighted by blockchain security firm SlowMist, the primary risk with permits lies in the ease with which bad actors can exploit signature authorizations. Since the transactions occur off-chain, detecting compromised signatures becomes challenging.Lack of Warnings: Some wallets do decode and display signature information, but the warnings regarding permit signature phishing are often insufficient. This gap in user protection increases the likelihood of successful phishing attempts.

Recommendations

To mitigate such risks, users are advised to:

Verify Websites: Always ensure the legitimacy of websites before signing any permits.Understand Permissions: Carefully read and understand the permissions being granted with each signature.Use Reputable Wallets: Opt for wallets that provide detailed information and warnings about permit signatures.Stay Informed: Keep up-to-date with the latest security practices and potential vulnerabilities within the crypto space.

This unfortunate event underscores the need for heightened awareness and stronger security measures to protect against sophisticated phishing scams in the cryptocurrency world.#CryptoTradingGuide