Author: OneKey Chinese Source: X, @OneKeyCN
Take a test yourself. Do you still think that as long as I don’t initiate a transaction and sign a “connect and log in” website, I won’t lose my assets?
If you nod your head, then your security awareness may have stayed at 21 years ago.
According to the March 24 phishing report* published by Scam Sniffer, 90% of the phished assets are ERC-20 tokens. The main phishing method is Permit/Permit2 phishing signatures.
In mid-March of this year alone, there were 4 stolen transactions with an average asset value of about $2M, of which 3 were Pendle PT principal tokens stolen by Permit phishing signatures.
From the perspective of the victim, this is simply a horror movie - one day, I suddenly found that my assets were transferred away. After checking, I thought that my private key was stolen. In the end, I found that it was an inadvertent offline signature. I was helpless.
And all this could have been avoided.
One sentence to explain Permit / Permit2
In order to save time, OneKey will not talk too much about the encryption "textbook knowledge" of EIP-2612 introducing Permit or Uniswap launching Permit2. (Maybe you will have a headache just by reading this sentence)
You just need to realize that: times have changed, and the signature of "thick eyebrows and big eyes" is not simple.
You can directly and roughly understand it as - now many ERC-20 token authorizations will be managed through an "intermediary".
In the past, your token quota was approved to each dApp contract one by one. And each authorization requires Gas.
Now, through the Permit/Permit2 technology (which has been adopted by a considerable number of dApps), you only need to authorize the token to the "intermediary" of Permit/Permit2.
DApps that integrate this technology can request to use this authorization quota - just a simple signature can authorize them (even in batches), without spending Gas authorization again and again.
A double-edged sword
Although this type of signature upgrade brings convenience and cost savings to cross-application operations, it has various benefits. But it also leaves some hidden dangers.
The danger lies in that in the last bull market, crypto users have developed the habit of "signing to log in to Dapp requires connection", and they assume that ordinary signatures are safe and defenseless.
As everyone knows, if you don't pay attention to distinguishing the new version of the signature (blind signature), you will be phished. This poses new challenges to user security awareness and various infrastructures such as wallets.
For hackers, it is a better way to "kill with a borrowed knife".
The attacker only needs to deploy a phishing contract, obtain a Permit authorization signature from you, and then submit a transaction to steal your assets (you can even wait a few days until you forget about it before submitting it). In addition, Permit2 can also allow hackers to obtain the permissions of all your authorized tokens in batches.
For example, in this case recently shared by SlowMist founder Yu Xian (https://x.com/evilcos/status/1771338665052287307), a user was signed and phished for authorization of relevant tokens during the staking period, but he knew nothing about it (and did not pay attention to checking). When the hacker withdrew the tokens to his wallet, the assets were immediately stolen, causing heavy losses.
From the perspective of disguise, it seems that phishing has become a little simpler. They can make an "airdrop check" website and let you "connect your wallet" to view the airdrop. Or, make a tool website for you to log in to meet your needs in certain hot events/projects. There are endless ways. And during use, you may be induced to make a Permit/Permit2 type signature.
Looking to the future, as Ethereum advances account abstraction (EIP-3074 is officially included in the next Pectra hard fork upgrade), you can even directly authorize the entire address control authority to a contract, allowing the contract address to directly operate the user's wallet address. This will also introduce new phishing risks while being convenient.
Of course, this is a later story.
How to prevent this type of phishing? Is there a regret medicine?
There have been countless tweets and articles written about the prevention methods of Permit / Permit2 phishing. Here we are also not tired of summarizing it again-it is worth it.
1. Don't sign blindly
Just like a legally binding contract in the real world, no one will give their signature at will.
Identifying disguised phishing websites is a basic operation of cryptographic security. You should also be careful about the "login request" of unfamiliar local dog websites. Hackers will try their best to
disguise the intention of the button and trick you into signing.
The commonly used little fox can recognize Permit/Permit2 signatures. If the dAPP you interact with pops up this type of signature, it is best to confirm again and again whether you want to authorize the relevant tokens. If it is just an ordinary signed message, it is impossible to pop up a special type of signature.
In addition to the Permit class, there are also increaseAllowance, multi-dApp combination operations, and even various completely unreadable signatures starting with 0x, which may endanger the security of your assets.
In short, if you are not clear about the content and consequences of the signature that pops up, you must be very cautious, especially when there are more assets in the wallet.
2. Separation of wet and dry
If you often walk by the river, you will get your shoes wet.
If you like to "ignore risk warnings" on small websites and play with local dogs, if you really have to frequently engage in "high-risk behavior", then do a good job of isolating your assets.
Small wallets that are often used for interaction do not store a large amount of assets. To give an inappropriate analogy, when you go out shopping casually, you will definitely not bring your belongings with you, and you will only put some small money in your wallet.
And every once in a while, change and sort out your assets, change to a new wallet, and cancel authorization and signature to reduce your risk exposure as much as possible.
For wallets that store a large amount of assets, do not "connect" to the website at will. Or simply keep them in a hardware wallet for cold storage, and transfer them out for interaction when needed. This is also a commonplace way to prevent phishing.
3. Check authorization
If it is not used intensively, it is recommended to choose on-demand authorization when authorizing the Permit/Permit2 token quota for the first time. That is, authorize as much as you use, rather than the default maximum (unlimited) quota.
If you have authorized unlimited quotas for Permit/Permit2, you can also regret it. You can check your token authorization risk exposure at http://Revoke.Cash - you will clearly see how much a token is authorized for Permit/Permit2.
The tool also supports canceling signatures, and you can also find signatures in it to cancel (before hackers activate the relevant signatures to steal your assets).
It should be noted that the Permit type signature is an offline signature, and there is no trace on the chain before it is used (hackers usually store these stolen signatures on the server).
It is a good habit to use tools to check authorization and signatures regularly.
Conclusion
If you are unfortunately caught, it is best to seek help from professional security teams such as SlowMist in time to transfer assets and make up for the loss in time to minimize the loss. You can even use some technical means to rescue assets.
It is worth noting that these signature phishing have tended to be professionalized and industrialized, with clear division of labor and spoils. If the assets have been transferred and laundered by a professional Drainer hacker team, there is a high probability that they will not be able to get them back! So we have to take precautions before they happen and don't let them have any chance to take advantage of it.
Miyuki
JinseFinance
CryptoSlate
New York Magazine
decrypt
cryptopotato
Bitcoinist
Ftftx