There was a recent news that due to a permit signature phishing attack, a certain address lost 12,083.6 spWETH, worth about 32.33 million US dollars. The victim wallet may be related to Cobo co-founder and CEO Shenyu.

Shenyu is an old man in the blockchain field, and he was also fooled by Permit signature phishing. Do you think it is shameful for a blockchain practitioner and the founder of the digital wallet cobo to have his wallet stolen? If it were in ancient times, anyone with a little shame would have committed seppuku to apologize. Baobao felt bitter, but Baobao didn't say anything, and pretending nothing happened was the most embarrassing response.

【Why did you get infected】

Many people have this fixed mindset, thinking that as long as I don’t approve the token and don’t pay for gas to go on the chain, my assets are safe.

This is an old way of thinking that is only valid before 2023. It is no longer valid after the introduction of Permit in EIP-2612. This solution is a double-edged sword. You can say it is a technical upgrade or a technical loophole. This loophole generally needs to be patched by application layer wallet software. Before it is patched, users need to keep their eyes open.

Ok Wallet’s announcement the day before yesterday clearly prompted the permit authorization.

How to prevent it

We will not do a technical analysis of the permit signature mentioned in the article today, but only introduce how to prevent it. As long as you remember the following methods, you can completely avoid the risk of theft.

The permit signatures are in the following format. If you see the following pop-up window when you log into a dapp and check for airdrops or other wallet-linked behaviors, it means your account is being stolen and phished. Click to reject all of them:

  • Interactive: Interactive website

  • Owner: Authorized party address

  • Spender: authorized party address

  • Value: Authorized quantity

  • Nonce: Random number

  • Deadline: expiration date

Click Reject for both Permit signatures

There are no such messages in normal signatures, as shown below:

Normal link wallet signature

One more thing to add, if you accidentally sign, don't panic too much, not all assets can be stolen by hackers. Only tokens whose token contracts support the permit method (also called: licensed tokens) can be stolen. For other assets such as ETH, USDT, USDC, etc., hackers can only stare and fish, waiting for you to convert to [licensed tokens] one day before they can operate. All you need to do is transfer your assets immediately.

You can use revoke.cash to check which tokens in your wallet are "permitted tokens" (many re-staking tokens such as METH, PUFETH, and spWETH of Shenyu in the article are tokens with permit):

View the token method with permit

Finally, I would like to remind you again that the permit signature is the same as the normal signature when the wallet is linked. It does not require gas and is not on the chain. It cannot be seen in the authorization. The signature information is stored on the server by the hacker. If you sign it accidentally, the hacker will wait patiently for your wallet to have money and then transfer it away. Be sure to keep your eyes open and see clearly.