Original source: Rhythm

Reprinted: Koala, Mars Finance

On September 28, Lookonchain published a post disclosing that a certain address lost 12,083.6 spWETH (about $32.33 million) due to a phishing attack. Arkham said the wallet may be related to Cobo co-founder and CEO Shenyu (@bitfish1). At present, Shenyu has not responded to this. Today, according to Lookonchain, a certain address (possibly related to @ContinueFund) lost 15079 fwDETH (worth $36 million) by signing a "Permit" phishing signature 6 hours ago. Why is Permit signature phishing so powerful that even the big guys in the circle have been hit one after another? This article provides a detailed popular science on this. BlockBeats once again reminds users not to click on any unknown links or sign any unknown signatures.

According to the GoPlus security team, phishing attacks have become the main risk that causes the most losses to individual Web3 users. Attackers usually imitate official Twitter, Telegram, email, Discord replies or private chats with users to lure users to click on phishing website links with Claim airdrops, refunds, and welfare activities, and then steal the user's authorized assets through "Permit" signatures in the wallet. This is an offline signature authorization standard that uses EIP-2612, allowing users to approve without having Eth to pay for Gas fees, which can simplify the user's approval process and reduce the risk of errors or delays caused by manual approval processes, but it has also become a common method of phishing attacks.

What is a Permit Signature?

Simply put, in the past we needed Approve before we could transfer tokens to other contracts, but if the contract supports Permit, we can use Permit offline signature to skip Approve and authorize without paying gas. After authorization, the third party has the corresponding control and can transfer the user-authorized assets at any time.

Alice uses the off-chain signature to authorize the protocol. The protocol calls Permit on the chain to obtain authorization, and then can call TransferFrom to transfer the corresponding assets.

1. Attach permit signature to the transaction for interaction, no need for pre-approval

2. Off-chain signatures, on-chain operations are performed by authorized addresses, and authorized transactions can only be viewed at authorized addresses

3. It is required to write relevant methods into the ERC20 token contract. Tokens released before EIP-2612 do not support this.

After the phishing attacker forges a phishing website, he will use the Permit signature to obtain user authorization. The Permit signature usually contains:

Interactive: Interactive website

Owner: Authorized party address

Spender: authorized party address

Value: Authorized quantity

Nonce: Random number (anti-replay)

Deadline: expiration date

Once the user signs the Permit signature, the Spender can transfer assets of the corresponding Value within the Deadline.

How to prevent permit signature phishing attacks

1. Do not click on any unfamiliar or untrusted links, and always double-check the correct official channel information.

2. When you open any website and a pop-up window pops up to confirm the wallet signature, do not rush to click on it. Read the interactive URL and signature content that appear above the Singnature request patiently and carefully. If an unfamiliar URL and Permit information containing Spender and Value appear, click [Reject] directly to avoid asset loss.

3. The [Message Signature] pop-up window that is activated when logging in or registering is a safe confirmation operation that can be clicked. The reference style is as follows: