GoPlus: Beware of Permit signature phishing risks in wallet pop-ups
Original source: GoPlus
According to GoPlus security team monitoring, phishing attacks have become the main risk causing the most losses to individual Web3 users. Usually attackers imitate official Users on Twitter, Telegram, email, Discord replies or private messages use Claim airdrops, refunds, and welfare activities to lure users to click on phishing website links, and then steal the user's authorized assets through "Permit" signatures in the wallet. This is an offline signature authorization standard that adopts EIP-2612, allowing users to approve without owning Eth to pay Gas fees. It can simplify the user's approval process and reduce the risk of errors or delays caused by manual approval processes, but it also becomes The current common methods of phishing attacks.
What is a Permit signature?
To put it simply, in the past we needed Approve before we could sign the signature. Transfer coins to other contracts, but if the contract supports Permit, you can sign offline through Permit, skip Approve and do not need to pay gas for authorization. After authorization, the third party has the corresponding control rights and can transfer the user-authorized funds at any time. assets.
Alice uses off-chain signature to authorize the protocol. The protocol calls Permit to get the authorization on the chain, and then can call TransferFrom to transfer the corresponding assets.
1. Attach a permit signature to the transaction for interaction, no need to approve in advance
2. Off-chain signature, on-chain operations are operated by authorized addresses and can only be performed at authorized addresses View authorized transactions
3. Relevant methods are required to be written into the ERC20 token contract. Tokens released before EIP-2612 are not supported
After phishing attackers forge a phishing website, they will use the Permit signature to obtain user authorization. The Permit signature usually contains:
Interactive: interactive URL
Owner: Authorizing party address
Spender: Authorized party address
Value: Authorized quantity
Nonce: Random number (anti-replay)
Deadline: Expiration time
Once the user signs the Permit signature, the Spender can transfer the corresponding Value's assets within the Deadline.
How to prevent Permit signature phishing attacks
1. Do not click on any unfamiliar or untrusted links, and always confirm the correct official channel information repeatedly.
2. If you open any website and wake up the wallet signature confirmation pop-up window, do not rush to click Confirm, patiently and carefully read the interactive URL and signature content that appear above the Singnature request. Generally, if an unfamiliar URL and Permit contain Spender and Value's Permit information, directly click [Reject] to avoid asset loss.
3. The [Message Signature] pop-up window that is awakened when logging in or registering is a safe and clickable confirmation operation. The reference style is as follows:
This article comes from a contribution and does not represent the views of BlockBeats.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
MicroStrategy Brings Forward Debt Repayment in Optimistic Strategy
Vitalik Buterin warns: Politician tokens are “perfect vehicle for bribery”
Vitalik Buterin Urges Layer 2 Networks to Share Fees to Support Ether
Uniswap Approaches Key $12.3 Support Level Amid Bullish Efforts