Uniswap Permit2 signing, which started as a tool to simplify token approvals, has now become a common attack vector in the DeFi ecosystem.
A PEPE token holder became the latest victim of a phishing scam, losing $1.39 million worth of crypto after unknowingly signing a malicious Uniswap Permit2 transaction.
According to cybersecurity firm ScamSniffer, the stolen assets, including Pepe (PEPE), Microstrategy (MSTR), and Apu (APU) tokens, were transferred to a new wallet just an hour after the victim approved the transaction.
🚨 25 mins ago, a PEPE holder lost $1.39M worth of PEPE, MSTR, and APU after signing a “permit2” phishing signature.💸 pic.twitter.com/Wf4nd8eFxl
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) October 13, 2024
This incident adds to a series of attacks that target the vulnerabilities in Uniswap’s Permit and Permit2 features. They’re intended to reduce friction in crypto transactions—to empty users’ wallets with a single signature.
The victim unknowingly signed an off-chain Permit2 signature, which granted the attacker unrestricted access to their wallet, as per ScamSniffer.
In under an hour, the scammer moved the stolen tokens to a new address, leaving the victim with significant losses.
Uniswap introduced Permit2 in 2022 to improve the user experience by allowing multiple tokens to be approved in one go, saving on gas fees. However, this convenience has become a double-edged sword.
In a typical Permit2 phishing attack, scammers lure users into signing an off-chain signature through phishing websites or fake decentralized application (dApp) interfaces, as per a Gate.io report.
The signature appears harmless, but it actually authorizes the attacker to perform two critical actions within the Permit2 contract—Permit and Transfer From—giving them control over the victim’s tokens.
Once the transaction is signed, the scammer quickly moves the tokens to their own address. Because the Permit2 signature approval happens off-chain, users do not immediately see any suspicious activity on the blockchain.
By the time the transaction reaches the blockchain and the tokens are transferred, the damage has already been done.
This off-chain approval process is what makes Permit2 phishing attacks so dangerous, as it enables attackers to drain entire wallets with a single signature.
Permit2, by default, authorizes access to the entire token balance unless the user manually sets a limit, a step many overlook.
Uniswap did not immediately return a request for comment.
The Trend of Permit Phishing Scams
This attack is not an isolated case. It is part of a rising trend of phishing scams exploiting the Permit2 feature. Just this month alone there have been two other incidents involving Permit2: One investor lost 15,079 fwdETH (worth approximately $36 million) in a Permit phishing scam on Oct. 11, which followed another victim losing $2.47 million worth of Aave Ethereum sDAI in a similar phishing attack the day before.
In September, things were even worse. One user lost 12,083 spWETH (valued at $32.43 million) after signing a fraudulent Permit2 signature and another saw $127,141 worth of Neiro tokens taken from their wallet because of a phishing scam using the Uniswap Permit2 approval.
In response to these ongoing attacks, MetaMask has reportedly improved the readability of Permit and Permit2 signatures, making it easier for users to recognize the permissions they are granting.
The threat of phishing and other attack vectors in the crypto space was highlighted in the recent CertiK’s recent Web3 security report. The revealed phishing scams and private key compromises accounted for the majority of the losses, with phishing alone causing $343 million in damages.
Edited by Stacy Elliott.