In brief
- A USDC holder lost more than $440,000 after signing a malicious “permit” transaction.
- “Permit” phishing attacks accounted for some of November’s largest individual crypto losses.
- Experts warn that scammers rely on human error and that recovery is highly unlikely.
A hacker made off with more than $440,000 in USDC after a wallet owner unknowingly signed a malicious “permit” signature, according to a Monday tweet by Scam Sniffer.
The theft comes amid a surge in phishing losses. Roughly $7.77 million was drained from more than 6,000 victims in November, Scam Sniffer’s monthly report found, representing a 137% jump in total losses from October, even as the number of victims fell by 42%.
“Whale hunting intensified with a top hit of $1.22 million (permit signature). Despite fewer attacks, individual losses grew significantly,” the company noted.
What are permit scams?
Permit-based scams revolve around tricking users into signing a transaction that looks legitimate but quietly hands an attacker the right to spend their tokens. Malicious dapps may disguise fields, spoof contract names, or present the signature request as something routine.
If a user fails to scrutinize the details, signing the request effectively grants the attacker permission to access all of the user’s ERC-20 tokens. Once granted, scammers typically drain the funds immediately.
The method exploits Ethereum’s permit function, which is designed to make token transfers easier by allowing users to delegate spending rights to trusted applications. The convenience becomes a vulnerability when those rights are granted to an attacker.
“What’s particularly tricky about this attack type is that the attackers can either conduct the permit and transfer of tokens in one transaction (a smash and grab type approach) or they could give themselves access via the permit and then lay dormant waiting to transfer away any later added funds (as long as they set an appropriately far away access deadline within the permit function metadata),” Tara Annison, head of product at Twinstake, told Decrypt.
“The success of these types of scams relies on you signing something that you don’t quite realise what it will do,” she said, adding that, “It’s all about the human vulnerability and taking advantage of people’s eagerness.”
Annison added that this incident is far from isolated. “There are many big value and high volume examples of phishing scams designed to trick users into signing something they don’t fully understand. Often done under the guise of free airdrops, fake project landing pages to connect your wallet to [or] fraudulent security warnings to check if you’ve been impacted,” she added.
How to protect yourself
Wallet providers have been rolling out more protective features. MetaMask, for example, warns users if a site appears suspicious and attempts to translate transaction data into human-readable intent. Other wallets similarly highlight high-risk actions. But scammers continue to adapt.
Harry Donnelly, founder and CEO of Circuit, told Decrypt that permit-style attacks are “quite widespread” and urged users to check sender addresses and contract details.
“That’s the clearest way to know that if it’s a protocol that doesn’t match where you’re actually trying to send the funds, then that likely is someone trying to steal funds,” he said. “You can check the amount, so often they’ll try and give unlimited approvals, like that.”
Annison emphasized that vigilance is still users’ strongest defense. “The best way to protect yourself from a permit, approveAll or transferFrom scam is to ensure that you know what you are signing. What actions will actually be done in the transaction? What functions are being used? Do these match up to what you thought you were signing?”
“Many wallets and dapps have improved user interfaces to ensure that you’re not blindly signing something and can see what it will result in, as well as warnings for high risk functions being used. However it’s important that users are actively checking what they’re signing and not just connecting their wallet and hitting the sign,” she said.
Once stolen, the recovery of funds is unlikely. Martin Derka, co-founder and technical lead at Zircuit Finance told Decrypt the chances of getting the funds back was “basically zero.”
“In phishing attacks, you’re dealing with an individual whose entire goal is to take your funds. There’s no negotiation, no point of contact, and often no idea who the counterparty is,” he said.
“These attackers play a numbers game,” Derka said, adding that, “Once the money is gone, it’s gone. Recovery is essentially impossible.”
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.