EddieJayonCrypto

 14 Oct 24

tl;dr

Uniswap's Permit2 feature, designed to simplify token approvals, has become a common target for phishing scams in the DeFi ecosystem. A PEPE token holder lost $1.39 million worth of crypto after unknowingly signing a malicious Uniswap Permit2 transaction. The stolen assets, including PEPE, MSTR, and...

Uniswap's Permit2 feature, designed for seamless token approvals, has become a prime target for phishing scams, resulting in substantial financial losses for unwitting users.


Cybersecurity firm ScamSniffer reports a PEPE token holder losing $1.39 million worth of crypto after unknowingly signing a malicious Uniswap Permit2 transaction, adding to a series of similar attacks exploiting Permit and Permit2 vulnerabilities.


Permit2 phishing attacks involve luring users to sign off-chain signatures, granting attackers control over their tokens, with recent incidents highlighting losses of millions of dollars in assets, prompting MetaMask to enhance signature readability to mitigate such threats.


Uniswap's Permit2 feature, designed to simplify token approvals, has become a common target for phishing scams in the DeFi ecosystem. A PEPE token holder lost $1.39 million worth of crypto after unknowingly signing a malicious Uniswap Permit2 transaction. The stolen assets, including PEPE, MSTR, and APU tokens, were swiftly transferred to a new wallet. This incident is part of a growing trend of phishing attacks exploiting Uniswap's Permit and Permit2 features. Scammers lure users to sign off-chain signatures, granting them access to wallets with a single authorization. The off-chain approval process enables scammers to drain entire wallets undetected. Other recent incidents involve significant losses, prompting MetaMask to improve signature readability to help users recognize permissions.


Phishing scams and private key compromises in the crypto space have caused substantial financial damages, highlighting the pressing need for enhanced security measures. Uniswap Permit2 signing, which started as a tool to simplify token approvals, has now become a common attack vector in the DeFi ecosystem. A PEPE token holder became the latest victim of a phishing scam, losing $1.39 million worth of crypto after unknowingly signing a malicious Uniswap Permit2 transaction. According to cybersecurity firm ScamSniffer, the stolen assets, including Pepe (PEPE), Microstrategy (MSTR), and Apu (APU) tokens, were transferred to a new wallet just an hour after the victim approved the transaction. This incident adds to a series of attacks that target the vulnerabilities in Uniswap’s Permit and Permit2 features. They're intended to reduce friction in crypto transactions—to empty users’ wallets with a single signature. The victim unknowingly signed an off-chain Permit2 signature, which granted the attacker unrestricted access to their wallet, as per ScamSniffer. In under an hour, the scammer moved the stolen tokens to a new address, leaving the victim with significant losses.


Uniswap introduced Permit2 in 2022 to improve the user experience by allowing multiple tokens to be approved in one go, saving on gas fees. However, this convenience has become a double-edged sword. In a typical Permit2 phishing attack, scammers lure users into signing an off-chain signature through phishing websites or fake decentralized application (dApp) interfaces, as per a Gate.io report. The signature appears harmless, but it actually authorizes the attacker to perform two critical actions within the Permit2 contract—Permit and Transfer From—giving them control over the victim’s tokens. Once the transaction is signed, the scammer quickly moves the tokens to their own address. Because the Permit2 signature approval happens off-chain, users do not immediately see any suspicious activity on the blockchain. By the time the transaction reaches the blockchain and the tokens are transferred, the damage has already been done. This off-chain approval process is what makes Permit2 phishing attacks so dangerous, as it enables attackers to drain entire wallets with a single signature. Permit2, by default, authorizes access to the entire token balance unless the user manually sets a limit, a step many overlook. Uniswap did not immediately return a request for comment.


The Trend of Permit Phishing Scams
This attack is not an isolated case. It is part of a rising trend of phishing scams exploiting the Permit2 feature. Just this month alone there have been two other incidents involving Permit2: One investor lost 15,079 fwdETH (worth approximately $36 million) in a Permit phishing scam on Oct. 11, which followed another victim losing $2.47 million worth of Aave Ethereum sDAI in a similar phishing attack the day before. In September, things were even worse. One user lost 12,083 spWETH (valued at $32.43 million) after signing a fraudulent Permit2 signature and another saw $127,141 worth of Neiro tokens taken from their wallet because of a phishing scam using the Uniswap Permit2 approval. In response to these ongoing attacks, MetaMask has reportedly improved the readability of Permit and Permit2 signatures, making it easier for

More about MicroStrategy Incorporated

MicroStrategy Incorporated Summary

MicroStrategy Incorporated provides global business analysis software and services. The company is headquartered in Tysons Corner, Virginia.

Sector: TECHNOLOGY

Industry: SERVICES-PREPACKAGED SOFTWARE

Market Cap: 43,076,686,000

Dividend Yield: None

Beta (5Y Monthly): -1.87

EPS: 2.901

PE Ratio: -0.437

Revenue: 480,634,000

Stock Price: $201.97

1-Year Change: -0.775

1-Year Change (%): -0.074

Disclaimer

The opinions expressed by the writers at Grow My Bag are their own and do not reflect the official stance of Grow My Bag. The content provided on our site is not intended as investment advice, and Grow My Bag is not an investment advisor. We do not endorse buying or selling any cryptocurrencies or digital assets mentioned in our articles. High-risk investments in Bitcoin, cryptocurrencies, and digital assets require thorough due diligence, and all transfers and trades made are at your own risk. Grow My Bag is not responsible for any potential losses and participates in affiliate marketing.
 22 Dec 24
 22 Dec 24
 22 Dec 24