Permit Signature Risk Disclosure
Recently, we received feedback from multiple users who were directed to phishing sites after Google ad searches, and carried out unknown malicious signatures on these sites, resulting in asset losses. One user lost about 2500 ARB tokens, and it was found that the user's ARB tokens were infinitely authorized to the malicious contract address 0x00005cA8824899d3f6c10522D9cc1b04E05A0000.
Upon investigation, this malicious contract address belongs to the Inferno Drainer scam group. According to Scam Sniffer monitoring data, this scam group has defrauded $41.88 million to date, with a victim count of 89484. They have created over 689 phishing sites, targeting over 220 brands, including recent popular projects like zkSync, Arbitrum, Optimism, and Blur.
The analysis indicates that this was caused by users executing off-chain signatures (Permit authorization signatures) on a phishing site. This is a mechanism that allows users to authorize transactions without directly interacting with the blockchain, thus saving on gas fees. However, as the above user cases illustrate, this signature mechanism also provides an opportunity for phishing attacks. Once the phishers obtain the user's permit, they can transfer the user's authorized assets without the user's knowledge.
Note: Avoid signing anything if you do not understand the purpose of the signature, as it could very likely be a scam!
Token authorization is a common operation in blockchain transactions, but it also carries certain risks. We need to exercise caution when reviewing each authorization request, and regularly manage them to safeguard assets.
- Conduct thorough research: Do solid research before using a new DApp. Understand its background, reputation, and development team to ensure its credibility.
- Verify contract addresses: When using a DApp, verify the accuracy of contract addresses. Avoid clicking on unclear links or obtaining addresses from unverified sources.
- Use official channels: Always download apps from official websites,or app stores to prevent malware infection.
- Guard against phishing attacks: Be cautious of phishing attacks, avoid clicking on unfamiliar links, and refrain from providing personal information or private keys.
We recommend users to regularly use security check tools to check and revoke unknown off-chain signature authorizations, and set suitable limits when authorizing.
- Steps to check authorization: Open the ETH wallet, slide the function bar to the left and click 'Revoke'. You can see the authorization status by scrolling down the Revoke page.
- Steps to revoke authorization: If you want to revoke authorization, click the menu bar in the upper right corner after entering the Revoke DApp page. Select 'Connect Wallet' and click 'WalletConnect' - 'imToken' to connect your wallet. After connecting your wallet successfully, scroll down to find the authorization you wish to cancel in the list, click the 🖊️ button to edit the 'Approved Amount,' and then click 'Update' to sign and complete the process.
- Steps to edit authorization: imToken supports displaying details of two authorization methods, approve and permit, including authorization amount, time, token and contract details, etc. You can click "Edit" to modify the authorization amount and time.
Besides Permit, in previous Wallet Security Newsletter, we have disclosed other scams such as fake website scams, SMS scams, mnemonic phrase scams, and authorization scams that also need to be guarded against.
- #1: Fake websites and wallets
- #8: My wallet was drained but my password was not compromised
- #10: Beware of "Zero-Dollar Purchase" NFT Phishing Scams!
- #12：Two major questions about the new scam
imToken Is Always Protecting Your Asset Security
Brand New Signing Experience. You Sign What You See.
In blockchain transactions, it is not uncommon for authorization to be done inadvertently, resulting in signatures being stolen. To address this, imToken has carried out a comprehensive upgrade so that users can easily understand every transaction and the meaning of their signatures. The following are optimization points for different scenarios:
Active Security Protection
To combat the growing threat of malicious signatures, imToken has comprehensively upgraded and improved signature processes and potential vulnerabilities across all areas:
- Mark risky tokens, ban risky addresses and DApps;
- When transferring funds to the contract address, a reminder will pop up to ensure that misoperation is avoided;
- When authorizing an ordinary account, a reminder pops up to reduce the risk of wrong authorization;
- In the token exchange process, a warning alert pops up if slippage is too high.
Be Cautious with Risky and Contract Addresses
imToken places a high priority on the safety of its users' assets and, in addition to implementing security measures, flagged 511 risky tokens, 608 risky DApp sites, and 2965 risky addresses in September to assist users in identifying risky tokens and avoiding scams.
If you suspect that a token or DApp is risky, please inform us promptly at firstname.lastname@example.org.