According to U.Today, a MakerDAO governance delegate fell victim to a Permit phishing scam, losing over $11 million in aEthMKR and Pendle USDe tokens. The incident was reported by Scam Sniffer, and further confirmed by Arkham Intelligence. The victim reportedly signed multiple Permit phishing signatures, leading to the significant loss.
Permit, a feature enabled through EIP-2612, eliminates the need for prior authorization when interacting with smart contracts. It allows the generation of authorization signatures without the need for on-chain transactions. This means potential victims can sign the permit for a malicious website without broadcasting it to the blockchain. As the mere possession of the signature is enough to grant authorization, this feature carries a significant level of risk, as noted by blockchain security firm SlowMist.
The firm further explained that bad actors can deceive victims into providing the signatures by posing as a legitimate website. Determining whether a signature has been compromised can be challenging as transactions occur off-chain. SlowMist stated, 'From our understanding, some wallets decode and display signature information to approve authorization phishing attempts, but there is a lack of sufficient warning regarding permit signature phishing, posing higher risks to users.' This incident underscores the potential risks associated with Permit signatures and the need for increased security measures.