[Users lost $11 million to cryptocurrency phishing scams]
According to a Scam Sniffer report, one victim lost over $11 million worth of aEthMKR and Pendle USDe tokens after signing multiple Permit phishing signatures. According to Arkham Intelligence, the victim is a MakerDAO governance representative.
Blockchain security company SlowMist noted that victims could face significant losses due to signature risks.
Permit is a feature enabled through EIP-2612 that eliminates the need for prior authorization when interacting with smart contracts. This feature allows the generation of authorized signatures without relying on on-chain transactions.
A potential victim can sign a Permit for a malicious website without it being broadcast to the blockchain. Since having a signature is enough to grant authorization, Permit carries considerable risks, according to SlowMist.
Malicious actors may trick victims into providing signatures by impersonating legitimate websites.
Since transactions occur off-chain, determining whether a signature has been compromised can be difficult. "We understand that some wallets decode and display signature information to approve authorization phishing attempts, but lack sufficient warning about Permit signature phishing, posing a higher risk to users," the company said.