GoPlus: Beware of Permit signature phishing risks in wallet pop-ups

Original source: GoPlus

According to GoPlus security team monitoring, phishing attacks have become the main risk causing the most losses to individual Web3 users. Usually attackers imitate official Users on Twitter, Telegram, email, Discord replies or private messages use Claim airdrops, refunds, and welfare activities to lure users to click on phishing website links, and then steal the user's authorized assets through "Permit" signatures in the wallet. This is an offline signature authorization standard that adopts EIP-2612, allowing users to approve without owning Eth to pay Gas fees. It can simplify the user's approval process and reduce the risk of errors or delays caused by manual approval processes, but it also becomes The current common methods of phishing attacks.

What is a Permit signature?

To put it simply, in the past we needed Approve before we could sign the signature. Transfer coins to other contracts, but if the contract supports Permit, you can sign offline through Permit, skip Approve and do not need to pay gas for authorization. After authorization, the third party has the corresponding control rights and can transfer the user-authorized funds at any time. assets.

Alice uses off-chain signature to authorize the protocol. The protocol calls Permit to get the authorization on the chain, and then can call TransferFrom to transfer the corresponding assets.

1. Attach a permit signature to the transaction for interaction, no need to approve in advance

2. Off-chain signature, on-chain operations are operated by authorized addresses and can only be performed at authorized addresses View authorized transactions

3. Relevant methods are required to be written into the ERC20 token contract. Tokens released before EIP-2612 are not supported

After phishing attackers forge a phishing website, they will use the Permit signature to obtain user authorization. The Permit signature usually contains:

Interactive: interactive URL

Owner: Authorizing party address

Spender: Authorized party address

Value: Authorized quantity

Nonce: Random number (anti-replay)

Deadline: Expiration time

Once the user signs the Permit signature, the Spender can transfer the corresponding Value's assets within the Deadline.

How to prevent Permit signature phishing attacks

1. Do not click on any unfamiliar or untrusted links, and always confirm the correct official channel information repeatedly.

2. If you open any website and wake up the wallet signature confirmation pop-up window, do not rush to click Confirm, patiently and carefully read the interactive URL and signature content that appear above the Singnature request. Generally, if an unfamiliar URL and Permit contain Spender and Value's Permit information, directly click [Reject] to avoid asset loss.

3. The [Message Signature] pop-up window that is awakened when logging in or registering is a safe and clickable confirmation operation. The reference style is as follows:

This article comes from a contribution and does not represent the views of BlockBeats.