📢 Gate Square #MBG Posting Challenge# is Live— Post for MBG Rewards!
Want a share of 1,000 MBG? Get involved now—show your insights and real participation to become an MBG promoter!
💰 20 top posts will each win 50 MBG!
How to Participate:
1️⃣ Research the MBG project
Share your in-depth views on MBG’s fundamentals, community governance, development goals, and tokenomics, etc.
2️⃣ Join and share your real experience
Take part in MBG activities (CandyDrop, Launchpool, or spot trading), and post your screenshots, earnings, or step-by-step tutorials. Content can include profits, beginner-friendl
Permit2 signature phishing new eyewash: DEX users need to be vigilant about asset theft risks
Revealing the Uniswap Permit2 Signature Eyewash
Hackers are a terrifying presence in the Web3 ecosystem. For project teams, the open-source nature of the code makes them tread carefully during development, fearing that a single line of code could leave a vulnerability. For individual users, if they do not understand the meaning of the ongoing operations, every on-chain interaction or signature could lead to asset theft. Therefore, security issues have always been one of the most challenging problems in the crypto world. Due to the characteristics of blockchain, once assets are stolen, they are almost impossible to recover, making it particularly important to master security knowledge in the crypto world.
Recently, researchers have discovered a new phishing technique that has become active in the past two months. As long as a signature is provided, it can be stolen. The method is extremely covert and difficult to defend against, and any address that has interacted with a certain DEX may be exposed to risk. This article will analyze this signature phishing technique to prevent more users from suffering asset losses.
Incident details
Recently, a user (, referred to as Xiao A, had their wallet assets stolen. Unlike common theft methods, Xiao A did not leak their private key nor interacted with a phishing website's contract.
The blockchain explorer shows that the USDT stolen from Wallet A was transferred using the Transfer From function. This means that the stolen assets were transferred by another address, rather than a leak of the wallet's private key.
Transaction details show:
The key question is: how did the address ending in fd51 obtain permission for this asset? Why is it related to a certain DEX?
Further investigation revealed that before transferring Xiao A's assets, the address also performed a Permit operation, and both operations interacted with a Permit2 contract of a certain DEX.
![Signature gets stolen? Unveiling the Uniswap Permit2 signature phishing eyewash])https://img-cdn.gateio.im/webp-social/moments-0cc586809f131d9dfab81df33fd1835e.webp(
The Permit2 contract is a new contract launched by a certain DEX at the end of 2022. It allows token authorization to be shared and managed across different applications, aiming to create a more unified, cost-effective, and secure user experience. As more and more projects integrate with Permit2, it is expected to standardize token approval across all applications, improve user experience by reducing transaction costs, and enhance the security of smart contracts.
The launch of Permit2 could change the game for the entire DApp ecosystem. In the traditional way, users need to authorize separately for each asset interaction with a DApp. With Permit2, users only need to authorize the token to the Permit2 contract, and all DApps integrated with Permit2 can share this authorization limit, greatly reducing the user's interaction costs and providing a better experience.
However, Permit2 is also a double-edged sword. It shifts user operations from on-chain interactions to off-chain signatures, with all on-chain operations completed by intermediary roles like the Permit2 contract and integrated projects ). The benefit of this is that even if the user's wallet does not have ETH, they can pay for Gas with other tokens or have it reimbursed by the intermediary. But off-chain signatures are also the part most easily overlooked by users; most people do not carefully check the signature content, which is precisely where the danger lies.
( fishing technique reappears
To replicate this Permit2 signature phishing technique, the phishing wallet must first have Token authorization granted to a DEX's Permit2 contract. Currently, any Swap performed on a DApp integrated with Permit2 or on a certain DEX requires authorization to the Permit2 contract.
What is even more frightening is that regardless of the amount swapped, a certain DEX's Permit2 contract will automatically authorize the user for the entire balance of that Token. Although the wallet will prompt for a custom input amount, most people will directly choose the maximum or default value, and the default value for Permit2 is an unlimited amount.
This means that as long as you have interacted with a certain DEX and authorized the Permit2 contract after 2023, you may be exposed to the risk of this phishing eyewash.
The core lies in the Permit function. In short, it allows the transfer of the token allowance authorized to the Permit2 contract by the user's wallet to other addresses. As long as hackers obtain the user's signature, they can gain access to the token permissions in the user's wallet and transfer assets.
![Signature stolen? Unveiling the Uniswap Permit2 signature phishing eyewash])https://img-cdn.gateio.im/webp-social/moments-bb348691082594ecc577f91d7f9dc800.webp###
( preventive measures
Considering that the Permit2 contract may become more widely adopted in the future, and more projects will integrate it for authorization sharing, effective preventive measures include:
Understand and identify the signature content: The Permit signature usually contains key information such as Owner, Spender, value, nonce, and deadline. Using a secure plugin helps with identification.
Separation of asset wallet and interactive wallet: It is recommended to store a large amount of assets in cold wallets, while keeping only a small amount of funds in the daily interactive wallet, which can significantly reduce losses when encountering phishing.
Limit authorization amount or cancel authorization: When swapping on DEX, only authorize the amount needed for the interaction. Although reauthorizing each time will increase costs, it can avoid the risk of Permit2 signature phishing. Authorized amounts can be canceled using a security plugin.
Identify whether the token supports the permit function: Pay attention to whether the tokens you hold support this function, and if they do, exercise extra caution and carefully check each unknown signature.
Develop a comprehensive asset rescue plan: If tokens remain on other platforms after being scammed, take caution when withdrawing and transferring them to a secure address. It may be necessary to use MEV transfers or seek assistance from a professional security team to prevent interception by hackers.
In the future, phishing based on Permit2 may become increasingly common. This type of signature phishing is extremely covert and difficult to prevent. As the application scope of Permit2 expands, the number of exposed risk addresses will also increase. I hope readers can spread this information to more people to prevent more individuals from suffering losses.
![Signature stolen? Unveiling Uniswap Permit2 signature phishing eyewash])https://img-cdn.gateio.im/webp-social/moments-30520c8399a6ee69aa22424476c5870c.webp###