BPOI Banner
Pepe Holder Loses $1.4 Million in Uniswap Permit2 Phishing Attack Pepe Holder Loses $1.4 Million in Uniswap Permit2 Phishing Attack

Pepe Holder Loses $1.4 Million in Uniswap Permit2 Phishing Attack

Uniswap Permit2 signing, which started as a tool to simplify token approvals, has now become a common attack vector in the DeFi ecosystem.

A PEPE token holder became the latest victim of a phishing scam, losing $1.39 million worth of crypto after unknowingly signing a malicious Uniswap  Permit2 transaction.

According to cybersecurity firm ScamSniffer, the stolen assets, including Pepe (PEPE), Microstrategy (MSTR), and Apu (APU) tokens, were transferred to a new wallet just an hour after the victim approved the transaction.

This incident adds to a series of attacks that target the vulnerabilities in Uniswap’s Permit and Permit2 features. They’re intended to reduce friction in crypto transactions—to empty users’ wallets with a single signature.

The victim unknowingly signed an off-chain Permit2 signature, which granted the attacker unrestricted access to their wallet, as per ScamSniffer.

In under an hour, the scammer moved the stolen tokens to a new address, leaving the victim with significant losses.

Uniswap introduced Permit2 in 2022 to improve the user experience by allowing multiple tokens to be approved in one go, saving on gas fees. However, this convenience has become a double-edged sword.

In a typical Permit2 phishing attack, scammers lure users into signing an off-chain signature through phishing websites or fake decentralized application (dApp) interfaces, as per a Gate.io report.

The signature appears harmless, but it actually authorizes the attacker to perform two critical actions within the Permit2 contract—Permit and Transfer From—giving them control over the victim’s tokens.

Once the transaction is signed, the scammer quickly moves the tokens to their own address. Because the Permit2 signature approval happens off-chain, users do not immediately see any suspicious activity on the blockchain.

By the time the transaction reaches the blockchain and the tokens are transferred, the damage has already been done.

This off-chain approval process is what makes Permit2 phishing attacks so dangerous, as it enables attackers to drain entire wallets with a single signature.

Permit2, by default, authorizes access to the entire token balance unless the user manually sets a limit, a step many overlook.

Uniswap did not immediately return a request for comment.

The Trend of Permit Phishing Scams

This attack is not an isolated case. It is part of a rising trend of phishing scams exploiting the Permit2 feature. Just this month alone there have been two other incidents involving Permit2: One investor lost 15,079 fwdETH (worth approximately $36 million) in a Permit phishing scam on Oct. 11, which followed another victim losing $2.47 million worth of Aave Ethereum sDAI in a similar phishing attack the day before.

In September, things were even worse. One user lost 12,083 spWETH (valued at $32.43 million) after signing a fraudulent Permit2 signature and another saw $127,141 worth of Neiro tokens taken from their wallet because of a phishing scam using the Uniswap Permit2 approval.

In response to these ongoing attacks, MetaMask has reportedly improved the readability of Permit and Permit2 signatures, making it easier for users to recognize the permissions they are granting.

The threat of phishing and other attack vectors in the crypto space was highlighted in the recent CertiK’s recent Web3 security report. The revealed phishing scams and private key compromises accounted for the majority of the losses, with phishing alone causing $343 million in damages.

Edited by Stacy Elliott.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.



Source link

Vismaya V

https://decrypt.co/286076/pepe-uniswap-permit2-phishing-attack

2024-10-14 11:52:53

bitcoin
Bitcoin (BTC) $ 91,005.38 3.03%
ethereum
Ethereum (ETH) $ 3,079.77 0.35%
tether
Tether (USDT) $ 1.00 0.02%
solana
Solana (SOL) $ 216.77 1.98%
bnb
BNB (BNB) $ 619.35 1.25%
dogecoin
Dogecoin (DOGE) $ 0.375408 0.12%
xrp
XRP (XRP) $ 0.885168 12.69%
usd-coin
USDC (USDC) $ 1.00 0.12%
staked-ether
Lido Staked Ether (STETH) $ 3,077.52 0.24%
cardano
Cardano (ADA) $ 0.738274 25.27%
tron
TRON (TRX) $ 0.192866 8.67%
shiba-inu
Shiba Inu (SHIB) $ 0.000025 4.71%
the-open-network
Toncoin (TON) $ 5.37 1.37%
avalanche-2
Avalanche (AVAX) $ 33.00 4.48%
wrapped-bitcoin
Wrapped Bitcoin (WBTC) $ 90,884.35 3.39%
wrapped-steth
Wrapped stETH (WSTETH) $ 3,657.14 0.22%
sui
Sui (SUI) $ 3.60 6.40%
pepe
Pepe (PEPE) $ 0.000023 5.71%
weth
WETH (WETH) $ 3,075.98 0.40%
chainlink
Chainlink (LINK) $ 13.79 5.05%
bitcoin-cash
Bitcoin Cash (BCH) $ 430.17 2.38%
polkadot
Polkadot (DOT) $ 5.15 6.60%
leo-token
LEO Token (LEO) $ 7.63 3.23%
near
NEAR Protocol (NEAR) $ 5.49 0.51%
aptos
Aptos (APT) $ 11.80 4.31%
litecoin
Litecoin (LTC) $ 83.30 1.45%
wrapped-eeth
Wrapped eETH (WEETH) $ 3,239.37 0.37%
usds
USDS (USDS) $ 0.993193 0.48%
uniswap
Uniswap (UNI) $ 8.55 3.36%
crypto-com-chain
Cronos (CRO) $ 0.169029 12.83%
stellar
Stellar (XLM) $ 0.144926 9.94%
internet-computer
Internet Computer (ICP) $ 8.68 7.49%
dogwifcoin
dogwifhat (WIF) $ 3.84 4.75%
bittensor
Bittensor (TAO) $ 516.20 2.32%
kaspa
Kaspa (KAS) $ 0.137764 2.49%
ethereum-classic
Ethereum Classic (ETC) $ 23.17 5.37%
fetch-ai
Artificial Superintelligence Alliance (FET) $ 1.28 2.64%
dai
Dai (DAI) $ 0.99957 0.16%
whitebit
WhiteBIT Coin (WBT) $ 22.32 0.68%
ethena-usde
Ethena USDe (USDE) $ 1.00 0.03%
bonk
Bonk (BONK) $ 0.000044 18.86%
polygon-ecosystem-token
POL (ex-MATIC) (POL) $ 0.371449 2.70%
blockstack
Stacks (STX) $ 1.87 2.10%
hedera-hashgraph
Hedera (HBAR) $ 0.073352 14.91%
render-token
Render (RENDER) $ 6.88 2.59%
okb
OKB (OKB) $ 43.91 0.55%
monero
Monero (XMR) $ 143.49 3.74%
first-digital-usd
First Digital USD (FDUSD) $ 1.00 0.25%
filecoin
Filecoin (FIL) $ 4.19 7.28%
aave
Aave (AAVE) $ 164.19 2.91%