Author: Biteye, Source: Author’s Twitter @BiteyeCN

On September 28, an address lost about $32.33 million due to a phishing attack. The address is said to be related to the cryptocurrency tycoon Shenyu. Coincidentally, on October 11, a fwDETH asset worth $35 million was stolen by a phishing gang again. In just half a month, virtual assets with a total value of more than 470 million yuan have been difficult to recover due to permit signature phishing attacks.

Why is Permit Signature Phishing so powerful? Even the big names in the cryptocurrency world have been tricked?

币圈大佬接连中招、损失超4.7亿人民币,Permit签名钓鱼为何如此厉害?

What is a permit signature?

In order to understand the introduction of the Permit signature, you first need to understand the transaction rules of the ERC20 currency: Account A can call the approve function to authorize Account B to operate the specified token, and only the owner of the token can call this function.

Permit is a mechanism that uses offline signatures to implement authorization, which allows skipping the approve step and not paying gas fees. In this process, A signs B off-chain in advance and provides this signature to B; B can then use this signature to perform A's authorization operation by calling the permit function, which allows B to use transferFrom to transfer tokens.

Through Permit, A can implement token transfer without any on-chain transactions, and the execution of permit operations is not limited to the account owner. Permit was formally introduced in the ERC20 protocol's EIP-2612 proposal, providing users with a convenient and cost-saving way of interaction.

币圈大佬接连中招、损失超4.7亿人民币,Permit签名钓鱼为何如此厉害?

How are permit signatures used to carry out phishing attacks?

According to the above introduction, when a user mistakenly enters a phishing website and clicks on a link, the hacker obtains the signature. The hacker then uploads the signature information to the chain and submits a permit to control the user's assets and transfer them.

Attack steps: Enter the phishing website - Sign the wallet link on the phishing website - Hacker obtains the signature and steals assets through permit

For example, the following is a malicious signature of a phishing website: The top of the picture shows that this is a zksync phishing website, and the permit signature below shows that the wallet (owner) is authorizing an address (spender). The value below is the number of tokens authorized, and the deadline is a timestamp that is valid before a given time.

币圈大佬接连中招、损失超4.7亿人民币,Permit签名钓鱼为何如此厉害?

How to avoid permit signature phishing attacks

Permit signature phishing attacks are not completely unpreventable. Most users who suffer losses have made multiple security mistakes in succession.

First, users should distinguish between wallets for storing coins and wallets for interacting with DeFi, and carefully check the URL before linking the wallet, signing or authorizing to ensure that they have entered the correct website;

Some websites may have contracts maliciously replaced by hackers. Before clicking to sign or authorize, we should carefully read the Singnature request information that pops up in the wallet to ensure that the current authorization address is correct and the assets and amount are within a controllable range;

Finally, we can use security plugins such as @wallet_guard @realScamSniffer to help identify abnormal risks, and use authorization tools such as RevokeCash (https://revoke.cash) from time to time to check if there are abnormal authorizations. At the same time, choosing to use plugin wallets such as @Rabby_io can also obtain more readable signature information.