Uniswap user loses $1.4 Million in Phishing Attack via Permit 2 feature

14 days ago

Phishing methods are probably more effective lately. Users who perform certain operations often enter their data on sites that appear to be real. Over time, this has moved to other frontiers with the aim of draining wallets with millions of dollars inside.

We have often mentioned the weaknesses that DEXs had. If you wonder what it is, it is a decentralized exchange where you can perform token exchange operations, although other operations have also been implemented, such as providing liquidity by creating a position between two tokens of possible high volatility.

If there is something striking about these DEXs, it is DeFi. Perhaps this is a great attraction for investors looking to increase their profits. One that has become the most used is Uniswap, which I have had to use on many occasions because that's how it is to live in the world of Web3. Over time, they have added many new functions, although not all of them have been a great success, rather a new problem.

Obtained from Uniswap Labs Blog

The introduction of Permit2 is a novel and useful feature when viewed from a savings perspective. With this feature, one can approve multiple tokens at once and not have to do it one by one, spending much more gas than expected. The problem is that this is a function performed off-chain, and that is where the theft occurs.

As we said at the beginning, fake sites can look real and are one of the most efficient ways to steal funds. We are not saying that users are foolish, far from it. Anyone can fall for this type of scam if we do not take the necessary precautions and are very observant.

In this case, a phishing attack related to Uniswap could not have worked if the functionality of Permit2 was not taken into account. In this context, the attacker must have created an interface similar to a decentralized application (dApp) that allows them to obtain permissions granted by the deceived user.

The Permit2 contract has two authorizations to consider. On the one hand, there is the permission to allow, which gives a general permission to all tokens involved, saving time and making everything less tedious. On the other hand, there is the transfer permission, which is the most dangerous because we would have lost control and those tokens could be sent at any time without much recourse.

This can become more chaotic knowing that Permit2 runs off-chain, which means that all records on the chain are not viewed in time, so the user would not suspect anything and by the time they do, it will be too late. With this in mind, the attacker can drain a complete wallet through this phishing method. In fact, this is happening more frequently.

The cybersecurity firm ScamSniffer has reported a new incident that occurred within the Uniswap DeFi ecosystem. In this case, a user holding tokens PEPE, MSTR, and APU, valued at $1.39 million, has fallen victim to this type of phishing scam, having signed a malicious off-chain transaction through what is known as Uniswap's Permit2.

Obtained from the Etherscan block explorer

The attacker took at least an hour to transfer these tokens to a new wallet, causing the victim to lose a significant portion, if not all, of their funds.

In September, a user lost the whopping amount of $32.43 million dollars in tokens (12,083 spWETH).

There were also other similar attacks that occurred within this month. On October 11, a whale holding 15,079 fwdETH valued at $36 million fell victim to a scam through Permit2. Furthermore, another victim lost $2.47 million dollars in sDAI, with a time difference between the two incidents.

It seems that this has become routine for attackers, and MetaMask had to make some security implementations, or at least some prevention of this type of fraud. In this case, the readability when signing a contract has been improved so that users know what permissions they are granting.

According to a report from the security firm Certik, which many of us are familiar with when learning about which project or protocol we are investing in, phishing scams constitute the biggest losses, reaching up to $343 million dollars.