- Topic
44k Popularity
44k Popularity
28k Popularity
9k Popularity
19k Popularity
4k Popularity
32k Popularity
22k Popularity
34k Popularity
130k Popularity
- Pin
- 🎉 A Warm Welcome to Dr.Han on Gate Square!
Dr.Han — Founder of Gate and a seasoned crypto industry observer — is now officially sharing insights on Gate Square!
📢 Follow Dr.Han and like or comment on his latest post for a chance to win!
👉 Post: https://www.gate.com/post/status/11966645
👉 Profile: https://www.gate.com/profile/Dr_Han
🎁 Giveaway Alert:
We’ll randomly select 10 lucky users from those who follow + like/comment to receive a limited-edition Gate T-shirt — the same style worn by Dr.Han!
(If shipping is unavailable in your region, a $50 Futures Voucher will be provided instead.)
�
- 🔥 Gate Square #Gate Alpha Third Points Carnival# Trading Sharing Event is Live!
Share Alpha trading highlights screenshots with #Gate Alpha Trading Share# to split $100!
🎁 10 lucky users * 10 USDT each
📅 July 4, 4:00 – July 20, 16:00 UTC+8
Don’t forget—the main Alpha Points Carnival prize pool is up to $1,000,000!
Trade and post for double the chances to win!
Learn more: https://www.gate.com/announcements/article/45908
- 🎉 Gate xStocks Trading is Now Live! Spot, Futures, and Alpha Zone – All Open!
📝 Share your trading experience or screenshots on Gate Square to unlock $1,000 rewards!
🎁 5 top Square creators * $100 Futures Voucher
🎉 Share your post on X – Top 10 posts by views * extra $50
How to Participate:
1️⃣ Follow Gate_Square
2️⃣ Make an original post (at least 20 words) with #Gate xStocks Trading Share#
3️⃣ If you share on Twitter, submit post link here: https://www.gate.com/questionnaire/6854
Note: You may submit the form multiple times. More posts, higher chances to win!
📅 July 3, 7:00 – July 9,
- #GateSquareGiveaway# - Spot the Differences 👀
GM ☕ Our frog friend has two slightly different mornings—can you find all the changes?
💰 $10 Futures Voucher * 5 winners
To join:
🔹Follow Gate_Square
🔹Like this post and drop your answer in the comments
📅 Ends at 16:00 PM, July 7 (UTC)
Permit2 signature phishing Newbie method asset security risks need to be vigilant
Unveiling the Uniswap Permit2 Signature Eyewash
Hackers are a terrifying presence in the Web3 ecosystem. For project teams, open source code makes them nervous, fearing that a single line of erroneous code may leave a vulnerability. For individual users, every on-chain interaction or signature could lead to asset theft. Therefore, security issues have always been one of the pain points in the crypto world. Due to the characteristics of blockchain, stolen assets are almost impossible to recover, so having security knowledge is particularly important.
Recently, a researcher discovered a new type of phishing technique that can lead to asset theft with just a signature. This method is extremely covert and difficult to prevent, and addresses that have interacted with certain trading platforms may be at risk. This article will popularize this signature phishing technique to minimize further asset losses.
Incident details
Recently, a friend ( Xiao A ) had his wallet assets stolen. Unlike common theft methods, Xiao A did not leak his private key nor interacted with phishing website contracts.
The blockchain explorer shows that the USDT in Wallet A was transferred using the Transfer From function. This means that another address operated to move the Token, rather than a leak of the wallet's private key.
The transaction details reveal key clues:
The problem is, how did this address obtain asset permissions? Why is it related to a certain trading platform?
To call the Transfer From function, the caller needs to have the Token allowance permission (approve). Before transferring little A's assets from that address, a Permit operation was also performed, and both operations interacted with a certain exchange's Permit2 contract.
Permit2 is a new contract launched by a trading platform at the end of 2022, allowing token authorization to be shared across different applications, aiming to create a more unified, cost-effective, and secure user experience. With more projects integrating, Permit2 is expected to achieve token approval standardization across all applications, reducing transaction costs and enhancing smart contract security.
The launch of Permit2 may change the rules of the Dapp ecosystem. Traditionally, users need to authorize each interaction with a Dapp, but Permit2 can eliminate this step, effectively reducing the interaction cost for users. As an intermediary between users and Dapps, users only need to authorize the Permit2 contract, and all Dapps integrated with this contract can share the authorized limit.
However, this is also a double-edged sword. Permit2 turns user operations into off-chain signatures, with all on-chain operations completed by an intermediary. This means that even if the user's wallet does not have ETH, they can use other tokens to pay for gas fees or have the intermediary reimburse them. However, off-chain signatures are also the most easily overlooked aspect by users, as most people do not carefully check the content of the signature.
To use this phishing technique, the key prerequisite is that the phishing wallet must have authorized tokens to the Permit2 contract. Currently, any swap conducted on a Dapp or trading platform that integrates Permit2 requires authorization to the Permit2 contract.
The more frightening thing is that regardless of the Swap amount, the Permit2 contract will by default allow users to authorize the entire balance of that Token. Although the wallet will prompt for a custom input amount, most people may directly choose the maximum or default value, and the default value of Permit2 is unlimited.
This means that as long as there has been interaction with a trading platform after 2023 and authorization given to the Permit2 contract, there may be a risk of this eyewash.
The key point is the Permit function, which allows the user to transfer the token limit authorized to the Permit2 contract to other addresses. As long as hackers obtain the user's signature, they can gain access to the token permissions in the user's wallet and transfer assets.
Detailed Analysis of the Incident
The Permit function allows users to pre-sign a "contract", permitting others (spender) to use a certain amount of tokens in the future. Users must provide a signature to prove the authenticity of the "contract".
Function workflow:
The focus is on the verify function and the _updateApproval function.
The verify function retrieves the three data points v, r, and s from the signature information to recover the transaction signature address. The contract compares the recovered address with the provided token owner's address; if they are the same, the verification is successful.
The _updateApproval function updates the authorization value after signature verification, meaning that the authority has been transferred. At this point, the authorized party can call the transferfrom function to transfer tokens to the specified address.
On-chain real transaction shows:
Reviewing the interaction records of Xiao A, it was found that when using a certain trading platform, the default authorization limit was clicked, which is almost unlimited.
Simple Review: Xiao A previously authorized an unlimited USDT quota to Permit2, and later accidentally fell into a phishing trap designed by hackers. After obtaining the signature, the hackers performed Permit and Transfer From operations in the Permit2 contract, transferring Xiao A's assets away. Currently, the Permit2 contract seems to have become a phishing paradise, and this phishing method has been active for about two months.
How to prevent it?
Considering that the Permit2 contract may become more widely adopted in the future, with more projects or integrations for authorization sharing, effective prevention measures include:
Separation of asset wallet and interactive wallet: It is recommended to store a large amount of assets in a cold wallet, while keeping only a small amount of funds in the on-chain interactive wallet, which can significantly reduce losses when encountering eyewash.
Limit authorization amount or revoke authorization: When swapping on a certain trading platform, only authorize the amount needed for interaction. Although requiring reauthorization for each interaction will increase costs, it can avoid the phishing risk associated with Permit2 signatures. Authorized users can cancel the authorization through a secure plugin.
Identify the nature of the token and pay attention to whether it supports the permit function: In the future, more ERC20 tokens may realize the permit function. It is necessary to pay attention to whether the tokens held support it; if they do, trading operations must be extra cautious, and every unknown signature must be strictly checked.
If you have tokens stored on other platforms after being scammed, you need to develop a comprehensive rescue plan: If you find that you have been deceived but still have tokens existing on other platforms through staking or other means, you need to be cautious when extracting and transferring. Hackers may monitor the address balance at any time, and once tokens appear, they may be transferred. A comprehensive rescue process should be established, and extraction and transfer should be executed simultaneously. MEV transfer can be used or professional security team assistance can be sought.
In the future, phishing based on Permit2 may increase, as this method is extremely covert and difficult to defend against. As the application scope of Permit2 expands, the number of exposed risk addresses will also increase. I hope readers can spread this article to more people after reading it, to prevent more people from suffering losses.