Halo | halo.social
  • πŸ‘‹Welcome to Halo!
  • πŸ’šBeginners' Guide
    • Get started😊
    • How to use the innovative sharing feature?
    • How to buy crypto in Halo Wallet via MoonPay?
    • How to sell crypto in Halo Wallet via Fiat24?
    • How to add friends or follow wallets?
    • How to track portfolio?
    • How to monitor on-chain activity?
    • How to label an address?
    • How to post?
    • How to repost?
    • How to like?
    • How to toggle notifications?
    • How to earn Halo XP?
    • How to add custom tokens on Halo Wallet?
    • How to make swaps?
    • How to make cross-chain swaps on Halo Wallet?
    • How to Stake KCS via Halo Wallet: A Step-by-Step Guide
    • How to transfer cryptos from KuCoin Exchange to Halo Wallet?
  • πŸ’° Bounty Q&A
    • What is Bounty Q&A?
    • Getting Started
    • Roles in Bounty Q&A
      • Questioner
      • Co-questioner
      • Answerer
      • Peeker
    • Voting for the Best Answer
    • Terminating/Closing a Q&A
    • How to Earn in Bounty Q&A
    • Lifecycle of Bounty Q&A
    • How to Generate a Movement Address?
    • How to claim $MOVE Testnet Token for Bounty Q&A beta?
  • ⛏️ Halo Social Mining & the Epoch Era
    • Welcome to the Post-TGE Era
    • Prepare for the First Epoch
    • Halo Membership Pass in Social Mining
    • Minting Discount for New Users
    • Halo Membership Pass Promotion
  • πŸ–₯️Chrome Extension
    • How to use Halo Wallet Chrome Extension?
    • What to do if I cannot log into Chrome extension?
  • πŸ“šWallet Basics
    • What is private key?
    • What is secret phrase?
    • What is wallet password?
    • Which chains are supported on Halo Wallet?
    • Can I add a custom chain/network?
  • πŸ”Security
    • How to keep your wallet SAFU?
    • Permit2 signature phishing
    • How to revoke token approvals?
  • πŸ› οΈFAQ
    • Troubleshoot your problemsπŸͺ²
    • Transfer FAQ
      • Send tokens to the wrong address
      • Send tokens to the wrong network
      • What to do if I send tokens from exchanges but don’t see the them in Halo Wallet?
    • Gas Fee FAQ
      • How to adjust gas fee?
      • How to fix β€œInsufficient Gas Fee” error?
    • What if I lose assets in my wallet?
    • What if I lose assets in my wallet?
    • What if I forget my password?
  • πŸ“©Contact Us
    • Stay ConnectedπŸ™Œ
Powered by GitBook
On this page
  • πŸ’Ž Signature phishing
  • πŸ’Ž Permit2 signature phishing
  1. Security

Permit2 signature phishing

PreviousHow to keep your wallet SAFU?NextHow to revoke token approvals?

Last updated 1 year ago

Permit2 is a token approval smart contract designed by Uniswap that enhances user experience by merging approval and contract interaction into one step. However, this also introduces a new attack type that could potentially steal your tokens with a single signature.

How does this scam happen? Let's dive into the basics to help you stay secure!

πŸ’Ž Signature phishing

Signature phishing is a method where attackers trick users into providing an off-chain signature, which they later use to steal assets. Signatures are crucial for self-custody wallets, as they authenticate transactions. Any action in Web3 requires you to sign a message to prove that the transaction came from you.

While most signatures are on-chain and recorded on the blockchain, the evolution of Ethereum has enabled off-chain signing, which isn't broadcast to the network. This allows for scams where dApps collect off-chain signatures to use at their discretion.

The scam typically follows this pattern:

  • The attacker creates a fake dApp and induce users to use it.

  • The dApp asks users to sign off-chain messages. Given that transaction data is often unreadable by humans, users may believe they're signing to deposit tokens, as they would with other dApps. In reality, they're signing a message granting unlimited token approval.

  • The attacker then uses this signature to steal the user's assets.

πŸ’Ž Permit2 signature phishing

Understanding the basics of signature phishing, we can delve deeper into Permit2 scams. Permit2 enhances user experience by allowing token approvals to be shared and managed across various applications, intending to create a more unified and cost-efficient UX. However, it also introduces potential risks.

Standard approval model

  • The user calls approve() on an ERC20 to grant a spending allowance to a contract.

  • The user calls an interaction function on the contract, which in turn calls transferFrom() on the ERC20 token contract, moving her tokens.

Permit2 model

  • The user calls approve() on an ERC20 to grant an infinite allowance to the Permit2 contract.

  • The user signs an off-chain "Permit2" message that signals that the protocol contract is allowed to transfer tokens on her behalf.

  • The user calls an interaction function on the protocol contract, passing in the signed Permit2 message as a parameter.

  • The protocol contract calls permitTransferFrom() on the Permit2 contract, which in turn uses its allowance (granted in the first step) to call transferFrom() on the ERC20 contract, moving the tokens held by the user.

Permit2 eliminates the need for users to sign a token approval for each dApp, saving on gas fees. However, a few things make it hard for users to identify potential risks:

  • Off-chain signature: As it's not recorded on-chain, it's difficult for users to investigate suspicious activities.

  • Attacking time: A Permit2 signature remains valid until its expiration date. Attackers can choose to steal assets later, making it hard for users to identify the scam.

πŸ”₯ How to protect yourself?

  • Avoid opening unknown websites and signing messages instantly. Always read the message and do your research before signing.

  • When using dApps, control the amount of tokens that can be spent by contracts.

  • If you've signed a Permit2 message which could lead to possible attacks, consider transferring risky tokens to a different account.

Regularly use tools like to manage your approvals.

πŸ”
revoke.cash