Beware of the risk of permit signature phishing in wallet pop-up windows
Phishing attacks have become the main risk that causes the most losses to individual Web3 users. Usually, attackers imitate official Twitter, Telegram, email, Discord replies or private chats with users to lure users to click on phishing website links with Claim airdrops, refunds, and welfare activities, and then steal the user's authorized assets through the "Permit" signature in the wallet. This is an offline signature authorization standard that uses EIP-2612, allowing users to approve without having Eth to pay for Gas fees. It can simplify the user's approval process and reduce the risk of errors or delays caused by manual approval processes, but it has also become a common method of phishing attacks.
What is a Permit Signature?
Simply put, in the past we needed Approve before we could transfer tokens to other contracts, but if the contract supports Permit, we can use Permit offline signature to skip Approve and authorize without paying gas. After authorization, the third party has the corresponding control and can transfer the user-authorized assets at any time.
Alice uses the off-chain signature to authorize the protocol. The protocol calls Permit on the chain to obtain authorization, and then can call TransferFrom to transfer the corresponding assets.
Attach permit signature to the transaction for interaction without pre-approval
Off-chain signature, on-chain operations are performed by authorized addresses, and authorized transactions can only be viewed at authorized addresses
It is required to write the relevant methods into the ERC20 token contract. Tokens released before EIP-2612 do not support
After the phishing attacker forges a phishing website, he will use the Permit signature to obtain user authorization. The Permit signature usually contains:
Interactive: Interactive website
Owner: Authorizing party address
Spender: authorized party address
Value: Authorized quantity
Nonce: Random number (anti-replay)
Deadline: expiration date
Once the user signs the Permit signature, the Spender can transfer assets of the corresponding Value within the Deadline.
How to prevent permit signature phishing attacks
1. Do not click on any unfamiliar or untrusted links, and always double-check the correct official channel information.
2. When you open any website and a pop-up window pops up to confirm the wallet signature, do not rush to click on it. Read the interactive URL and signature content that appear above the Singnature request patiently and carefully. If an unfamiliar URL and Permit information containing Spender and Value appear, click [Reject] directly to avoid asset loss.
3. Only the message signature pop-up window that is woken up when logging in or registering is safe and can be clicked to confirm the operation. The style is as follows: