jakiro
Author: OneKey Chinese Source: X,@OneKeycn
If you test it yourself, do you still think: as long as it is not initiated, I sign a “connection login” website, and will not lose assets?
If you nod, then your safety awareness stays 21 years ago.
Judging from the March Fishing Report of 24 years announced by SCAM SNIFFER, 90% of the fishing assets were ERC-20 token.The main way of fishing is Permit / Permit2 fishing signature.
Just in mid -March this year, there were four stolen transactions with an average asset of about $ 2m in value, of which 3 were all PENDLE PT principal coins stolen by Permit fishing.
From the perspective of the victim, this was a horror movie -suddenly found that the assets were transferred one day, and the inspection was stolen by the private key. Finally, it was found that it was an inadvertent offline signature, but helpless.
And all this can be avoided.
In a word, understand Permit / Permit2
To save time, OneKey will not talk about too much EIP-2612 here to introduce Permit or Uniswap to launch Permit2 encryption “textbook knowledge”.(Maybe you just start a headache when you look at this sentence)
You just need to realize that the times have changed, and the signature of “thick eyebrows and big eyes” is not easy.
You can directly understand that many ERC-20s tokens authorization will be managed through a “intermediary”.
In the past, your token quota was authorized to give each DAPP contract.And every authorization requires GAS.
Now, through Permit / Permit2 technology (already used a considerable amount of DAPP), you only need to authorize the token to Permit / Permit2 this “intermediary”.
The DAPP that integrates this technology can request this authorized quota -it only needs to be simply signed to authorize them (or even batch), and there is no need to spend GAS authorization again and again.
A double -edged sword
The signature upgrade of this type has various benefits, although it brings convenience and cost savings across application operations.But there are also some hidden dangers.
The danger is that in the last round of the bull market, encrypted users have developed the operating habit of “logging in DAPP to be signed for connection”, and the default normal signature is safe and unprepared.
As everyone knows, if the signature of the new version does not pay attention to the distinction (blind sign), it will recruit fishing.This puts forward new challenges for user security awareness and various infrastructure such as wallets.
For hackers, it is a better “killing”.
The attacker only needs to deploy a fishing contract to obtain a Permit authorized signature from you, and then you can submit a transaction that stole your assets (you can even wait for a few days to forget this matter before submitting it).In addition, Permit2 also allows hackers to get all your authorized tokens in batches.
For example, this case shared by Slowmist founder Yu Xian recently (https://x.com/evilcos/status/1771338665052287307), a user was authorized by the signing of related tokens during the pledge (nonePay attention to the inspection), when he proposed tokens to his own wallet, he immediately stole the assets and suffered heavy losses.
From the perspective of camouflage, it seems that fishing has become simpler.They can do a “airdrop inspection” website to allow you to “connect your wallet” to view the airdrop.Or, make a tool website for you to log in to meet your needs in some hot events/projects.The pattern is endless.During the use, you are likely to be induced to make a Permit / Permit2 -type signature.
Looking forward to the future, with Ethereum advance account abstraction (EIP-3074 is officially included in the next PECTRA hard fork upgrade), you can even directly authorize the entire address control authority to give a contract to allow the contract address to directly operate the user’s wallet address.This will also introduce new fishing risks at the same time.
Of course, this is the last word.
How to prevent this type of fishing?Is there any regret medicine?
Regarding the prevention method of Permit / Permit2 fishing, there have been countless tweets and articles.Here we also tirelessly summarized again -it is worth it.
1. Don’t sign blindly
Just like the legal effect in the real world, no one will give their signatures at will.
The camouflage fishing website is a foundation for encrypted security.And the “login request” of a strange dog website must be careful, hackers will try their best
The intention of the camouflage button seduces you to sign.
The little foxes commonly used by everyone can identify the signature of Permit/ Permit2. If the DAPP you interacts with the signature of this type, it is best to confirm whether you have to authorize related tokens.If it is just an ordinary signing message, it is impossible to pop up a special type of signature.
In addition to the Permit class, there are various uncomvisible signatures of IncreaseAllowance, Multi -DAPP combination operations, and even the unparalleled signatures of 0X, which may endanger your asset security.
In short, if you do n’t know the content and consequences of the signature, you must be careful, especially the assets in the wallet.
2, dry and wet separation
I often walk by the river, how can there be no wet shoes.
If you like to “ignore the risk warning” on a small website, you will be a “high -risk behavior” if you really need to occur, then do a good job of asset.
The small wallets that are often used for interaction are not stored in large amounts of assets.For a less appropriate metaphor, when you go shopping at will, you will definitely not bring your home on your body, and you will only put some small money in your wallet.
And every time, changes to sorting out assets, changing new wallets, and canceling authorization and signatures to reduce your risk exposure as much as possible.
For wallets that store a large amount of assets, do not “connect” the website at will.Or simply store it in a hardware wallet, and turn it out for interaction when needed.This is also a way to prevent fishing.
3. Check the authorization
If it is not high -intensity, when the first authorized Permit / Permit2 tokens, it is recommended to choose to authorize on demand.That is, how much authorization is used, not the default maximum (unlimited) amount.
Those who have authorized Permit / Permit2 unlimited quota, there are also regret medicines to eat.You can check your token authorization risk exposure in http://revoke.cash — you will clearly see how much a token is authorized to Permit/Permit2.
The tool also supports the cancellation of the signature, and you can also find the signature to cancel it (before hackers activating the relevant signatures stole your assets).
It should be noted that the signature of the Permit type is an offline signature. Before being used, there are no traces on the chain (hackers usually store these stolen signatures on the server).
Regular use of tool inspection authorization and signature is a good habit.
Conclusion
If you are unfortunately recruited, it is best to seek the help of professional security teams such as Slowmist in time, transfer the assets in a timely manner, and minimize the loss.Even using some technical means to rescue assets.
It is worth noting that these signature fishing has tended to be professional and industrialized, and the division of labor is clear.If the assets have been transferred and laundered by the professional Drainer hacker team, a great probability cannot be taken back!Therefore, it is necessary to prevent it before they occur, so as not to let them have any opportunity.
