Bitget App
Trade smarter
Buy cryptoMarketsTradeFuturesCopyBotsEarn
GoPlus: Beware of Permit signature phishing risks in wallet pop-ups

GoPlus: Beware of Permit signature phishing risks in wallet pop-ups

BlockBeats-Article2024/04/02 09:54
By:BlockBeats-Article
Original source: GoPlus


According to GoPlus security team monitoring, phishing attacks have become the main risk causing the most losses to individual Web3 users. Usually attackers imitate official Users on Twitter, Telegram, email, Discord replies or private messages use Claim airdrops, refunds, and welfare activities to lure users to click on phishing website links, and then steal the user's authorized assets through "Permit" signatures in the wallet. This is an offline signature authorization standard that adopts EIP-2612, allowing users to approve without owning Eth to pay Gas fees. It can simplify the user's approval process and reduce the risk of errors or delays caused by manual approval processes, but it also becomes The current common methods of phishing attacks.


What is a Permit signature?


To put it simply, in the past we needed Approve before we could sign the signature. Transfer coins to other contracts, but if the contract supports Permit, you can sign offline through Permit, skip Approve and do not need to pay gas for authorization. After authorization, the third party has the corresponding control rights and can transfer the user-authorized funds at any time. assets.


Alice uses off-chain signature to authorize the protocol. The protocol calls Permit to get the authorization on the chain, and then can call TransferFrom to transfer the corresponding assets.


GoPlus: Beware of Permit signature phishing risks in wallet pop-ups image 0


1. Attach a permit signature to the transaction for interaction, no need to approve in advance

2. Off-chain signature, on-chain operations are operated by authorized addresses and can only be performed at authorized addresses View authorized transactions

3. Relevant methods are required to be written into the ERC20 token contract. Tokens released before EIP-2612 are not supported


After phishing attackers forge a phishing website, they will use the Permit signature to obtain user authorization. The Permit signature usually contains:


Interactive: interactive URL

Owner: Authorizing party address

Spender: Authorized party address

Value: Authorized quantity

Nonce: Random number (anti-replay)

Deadline: Expiration time

GoPlus: Beware of Permit signature phishing risks in wallet pop-ups image 1


Once the user signs the Permit signature, the Spender can transfer the corresponding Value's assets within the Deadline.


How to prevent Permit signature phishing attacks


1. Do not click on any unfamiliar or untrusted links, and always confirm the correct official channel information repeatedly.


2. If you open any website and wake up the wallet signature confirmation pop-up window, do not rush to click Confirm, patiently and carefully read the interactive URL and signature content that appear above the Singnature request. Generally, if an unfamiliar URL and Permit contain Spender and Value's Permit information, directly click [Reject] to avoid asset loss.


GoPlus: Beware of Permit signature phishing risks in wallet pop-ups image 2


3. The [Message Signature] pop-up window that is awakened when logging in or registering is a safe and clickable confirmation operation. The reference style is as follows:


GoPlus: Beware of Permit signature phishing risks in wallet pop-ups image 3


This article comes from a contribution and does not represent the views of BlockBeats.

0

Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.

PoolX: Locked for new tokens.
APR up to 10%. Always on, always get airdrop.
Lock now!