Simply put
- Holders of USDC lost upwards of $440,000 after unknowingly authorizing malicious “permit” transactions.
- Phishing attacks labeled as “permit” resulted in significant individual cryptocurrency losses in November.
- Experts caution that scammers exploit human mistakes, making recovery virtually impossible.
Hackers took off with more than $440,000 in USDC after the wallet owner inadvertently signed a harmful “permit” request, as noted in a recent report. This was highlighted in a tweet by Scam Sniffer.
The theft coincided with a rise in phishing activity that month. Over $7.77 million was lost by more than 6,000 individuals in November, according to ScamSniffers. This marks a staggering 137% increase in losses compared to October, even with a 42% drop in the number of victims.
“Whaling has become more prevalent, with peak losses reaching $1.22 million via permit signatures. While attacks may be fewer, the individual losses have surged,” remarked the company.
What is permit fraud?
Permit-based fraud typically involves tricking users into signing transactions that seem valid, but quietly transfer rights to tokens to the attacker. Malicious dApps can mimic fields, falsify contract names, and disguise signature requests as routine interactions.
If users don’t scrutinize the details before signing, they essentially allow attackers access to all their ERC-20 tokens. Most scammers drain the funds immediately once granted permission.
This misuse of Ethereum’s permission function is meant to simplify token transfers by letting users authorize trusted apps to access their tokens. However, when this access is given to a malicious entity, convenience turns into a liability.
“What complicates this form of attack is that an attacker can either hijack tokens instantly (a smash-and-grab method), or grant themselves access and wait for further funds to arrive, if they set distant access deadlines,” explained Tara Anison from Twin Stake.
“The efficacy of this fraud hinges on people signing off on transactions they don’t fully understand,” she continued. “It exploits human weaknesses and takes advantage of their eagerness.”
Anison noted the incident isn’t unique: “There are numerous high-value phishing scams out there aimed at deceiving users into giving consent they don’t comprehend, often masking themselves as free airdrops or fake project sites.” She also suggested checking for fraudulent alerts that might indicate compromise.
How to protect yourself
Wallet providers are enhancing protective features. For instance, Metamask warns users when a site appears dubious and attempts to translate transaction data into understandable terms. Other wallets have begun highlighting risky transactions. However, scammers continue to adjust their tactics.
Harry Donnelly, CEO of Circuit, pointed out to Decryption that permission-based attacks are “fairly common” and advised users to verify source addresses and contract details.
“The best way to ensure safety is to recognize if the protocols align with where you intend to send funds, as discrepancies likely point to an attempted theft,” he added. “Users often approve significant amounts of funds indiscriminately.”
Anison stressed that staying alert is key for users. “The foremost method to guard against permit, approveAll, and transferFrom scams is to be fully aware of what you’re signing. What actual actions will the transaction execute? Are the features consistent with your expectations?”
Many wallets and dApps are indeed upgrading their user interfaces to help users understand the implications of their signatures and to show warnings about high-risk functionalities being requested. However, the onus is on users to verify what they’re approving instead of just connecting and signing off mindlessly.
Once funds are stolen, recovery is nearly impossible. Martin Derka from Zircuit Finance mentioned that the possibility of reclaiming lost money is “essentially zero.”
In a phishing scenario, the attackers are focused solely on stealing funds—there’s no negotiation or chance to make contact, and the victim usually lacks knowledge of the culprit’s identity.
“These attackers operate in mass numbers,” DeLuca added, emphasizing, “Once the funds are gone, they’re gone. Recovery is virtually impossible.”
