Uniswap’s Permit2 Feature Exploited in $1.39M Phishing Attack

Uniswap’s Permit2 feature, introduced to simplify token approvals and save on gas fees, has become a growing attack vector in the DeFi ecosystem. A recent phishing attack resulted in a PEPE token holder losing $1.39 million worth of assets after unknowingly signing a malicious Uniswap Permit2 transaction.

The Attack

The latest victim fell prey to a sophisticated phishing scheme that exploited the vulnerabilities of Uniswap’s Permit2 function. According to cybersecurity firm ScamSniffer, the victim unknowingly signed an off-chain Permit2 signature. Which granted attackers unrestricted access to their wallet. The stolen assets, including PEPE, Microstrategy (MSTR), and Apu (APU) tokens, were transferred to a new address within an hour of the approval.

Permit2, initially designed to enhance user experience by allowing multiple token approvals in one transaction. It has been targeted by scammers who trick users into signing malicious off-chain signatures. These signatures appear harmless but authorize attackers to perform two key actions: Permit and Transfer From. This allows them to take full control of the victim’s tokens without any immediate on-chain visibility.

Why Permit2 Phishing is Dangerous

The off-chain nature of Permit2 transactions makes this type of phishing attack especially dangerous. Because users don’t see any suspicious activity on the blockchain until the tokens are already transferred. The damage is done before they even realize something is wrong.

As ScamSniffer explains, this attack exploits the default settings in Permit2. Which grant access to a user’s entire token balance unless manually limited—a step that many users fail to take. Once the scammer has the signature, they quickly transfer the stolen tokens to their own address. Leaving the victim with substantial losses.

Permit2’s Double-Edged Sword

Uniswap introduced Permit2 in 2022 with the goal of reducing transaction friction and gas fees by allowing users to approve multiple tokens in one go. While the feature has undoubtedly improved user convenience, it has also created new vulnerabilities for phishing attacks.

In a typical Permit2 phishing attack, scammers lure victims through fake decentralized application (dApp) interfaces or phishing websites, convincing them to sign what looks like a routine approval. The signature allows scammers to drain wallets with just one off-chain authorization, leaving victims with no immediate warning signs.

As phishing attacks leveraging Uniswap’s Permit2 feature become more frequent, users must be cautious when interacting with off-chain signatures. Manually setting limits on token approvals and double-checking transaction details are crucial steps in avoiding such scams. The growing number of Permit2 phishing incidents highlights the need for greater security awareness in the DeFi space.

This article is for information purposes only and should not be considered trading or investment advice. Nothing herein shall be construed as financial, legal, or tax advice. Bullish Times is a marketing agency committed to providing corporate-grade press coverage and shall not be liable for any loss or damage arising from reliance on this information. Readers should perform their own research and due diligence before engaging in any financial activities.

Leave a Reply

Your email address will not be published. Required fields are marked *