iron (💙,🧡)

Beware of Permit Signature Phishing Risks in Wallet Popup Windows Phishing attacks have emerged as a significant risk for Web3 individual users, with attackers often impersonating official Twitter, Telegram, email, Discord replies, or private messages. They entice users with promises of claiming airdrops, refunds, or bonus activities, leading them to click on phishing website links. Subsequently, attackers steal authorized assets from wallets through "Permit" signatures. This method utilizes the EIP-2612 offline signature authorization standard, enabling users to approve transactions without possessing ETH to cover gas fees. While this simplifies the approval process and mitigates the risk of errors or delays from manual approvals, it has also become a prevalent tactic in current phishing attacks. About Permit Signatures Previously, users needed to "Approve" transactions before transferring tokens to other contracts. However, if a contract supports "Permit," authorization can be conducted offline through Permit signatures, bypassing the "Approve" step and without incurring gas fees. This grants third parties corresponding control over authorized assets, allowing them to transfer assets at their discretion. For instance, Alice uses an off-chain signature to authorize the protocol. The protocol then submits the Permit transaction to the blockchain to obtain authorization. Subsequently, it can invoke the TransferFrom function to transfer the corresponding assets. 1. Add a permit signature to the transaction for interaction, without the need for pre-approval. 2. Off-chain signatures and on-chain operations are executed by the authorized address, and only authorized transactions are visible at the designated address. 3. It is mandatory to include the relevant methods in the ERC20 token contract. Tokens released before EIP-2612 are not compatible. Phishing attackers create phishing websites and utilize Permit signatures to obtain user authorization. The Permit signature typically includes: Interactive: URL Owner: Authorizing party address Spender: Authorized party address Value: Authorized quantity Nonce: Random number (anti-replay) Deadline: Expiration time Once a user signs the Permit signature, the Spender can transfer the corresponding Value of assets before the deadline. Preventing Permit Signature Phishing Attacks: 1. Exercise caution when encountering unfamiliar or untrusted links. Always verify information from official channels before proceeding. 2. When prompted with a wallet signature confirmation pop-up upon visiting a website, refrain from hastily confirming. Carefully review the URL and signature content displayed above the Signature Request. If unfamiliar URLs or Permit information containing Spender and Value are present, clicking "Reject" can prevent asset loss. 3. Only confirm message signature pop-ups that appear during login or registration, as they are secure. These pop-ups typically display the following style: