The Underlying Logic of Web3 Signature Phishing and Prevention

Recently, "signature phishing" has become the most favored attack method for Web3 hackers. Despite continuous outreach by industry experts and security companies, many users still suffer losses every day. One of the main reasons for this situation is that most users lack understanding of the underlying mechanisms of wallet interactions, and for non-technical individuals, the learning threshold for related knowledge is quite high.

In order to help more people understand this issue, we will explain the underlying logic of signature phishing through diagrams, using the most simple and easy-to-understand language.

First, we need to understand that there are mainly two operations when using a wallet: "signing" and "interacting". Simply put, signing occurs off the blockchain (off-chain) and does not require paying Gas fees; while interacting occurs on the blockchain (on-chain) and requires paying Gas fees.

Signatures are commonly used for authentication, such as logging into a wallet or connecting to a DApp. This process does not alter any data or state on the blockchain, so there is no need to pay a fee.

Interaction involves actual on-chain operations. For example, when swapping tokens on a certain DEX, you first need to authorize the DEX's smart contract to use your tokens (this step is called "authorization" or "approve"), and then execute the actual swap operation. Both of these steps require paying Gas fees.

After understanding the difference between signatures and interactions, let's take a look at several common phishing methods: authorization phishing, Permit signature phishing, and Permit2 signature phishing.

Authorized phishing is a classic Web3 phishing technique. Hackers often spoof a seemingly legitimate website, enticing users to click on buttons like "Claim Airdrop". In reality, clicking will trigger an authorization action, allowing hackers to access the user's tokens. The drawback of this method is that it requires paying Gas fees, which can easily raise the user's suspicion.

Permit and Permit2 signature phishing are even more covert. Permit is an extension of the ERC-20 standard that allows users to approve others to move their tokens through signatures. It's like signing a "note" that authorizes someone to use your assets. Hackers can exploit this mechanism to induce users to sign seemingly harmless messages, which in reality authorize hackers to transfer the user's assets.

Permit2 is a feature launched by a certain DEX aimed at simplifying the user operation process. It allows users to authorize a large amount to the Permit2 smart contract all at once, after which each transaction only requires a signature without the need for repeated authorization. However, this also provides an opportunity for hackers. If a user has previously used the DEX and granted unlimited access, then once they are induced to sign the Permit2 message, hackers can easily transfer the user's assets.

To prevent these phishing attacks, we recommend:

1. Cultivate a security awareness and carefully check the specific operation details every time you operate your wallet.

2. Separate large amounts of funds from everyday wallets to reduce potential losses.

3. Learn to identify the signature formats of Permit and Permit2. If you see a signature request that includes the following fields, be sure to be vigilant:

   • Interactive
   • Owner (Authorized Party Address)
   • Spender (Authorized Party Address)
   • Value (Authorized Quantity)
   • Nonce (random number)
   • Deadline

By understanding these underlying logics and taking appropriate preventive measures, we can better protect the security of our Web3 assets.