Key Takeaways
Navigating security threats is one of the most important skills crypto users need to master. A recent phishing exploit proves that even seasoned traders can be vulnerable.
On Sunday, June 23, an Ethereum wallet lost crypto worth $11.1 million to a permit phishing attack. The stolen assets included $2.4 million in Ethena’s USDe and 3,657 Maker Tokens worth $8.7 million – enough to cause the price of MKR to crash.
First reported by Scam Sniffer, Sunday’s exploit catalyzed a significant downward slide in the price of Maker Token, which has fallen more than 9% in the past 24 hours.
Equivalent to around 0.55% of the cryptocurrency’s market capitalization, the stolen funds were quickly swapped for ETH, creating enough selling pressure to impact the price of MKR.
The owner of the affected wallet appears to have signed multiple fraudulent transactions, causing the loss of their funds through a tactic known as permit phishing.
Permit phishing is a form of cyberattack where malicious actors deceive users into granting unauthorized permissions to their crypto wallets.
Unlike traditional phishing, which aims to steal credentials, permit phishing manipulates users into approving transactions or permissions that enable attackers to drain their wallets or execute other harmful actions.
In the context of Ethereum, phishing attacks exploit the “permit” function introduced by EIP-2612 , which lets users approve ERC-20 transactions with off-chain signatures, eliminating the need for a separate blockchain entry for each token transfer.
Whereas the original “approve” function, the permit function lets users grant permission to other parties to spend their tokens in a single transaction. Various decentralized applications (DApps) use the function to streamline the user experience, reduce gas fees and improve security.
However, if malicious permits are improved, it can compromise all the tokens kept in the affected wallet.
Phishing attempts typically occur through seemingly legitimate websites or applications. Users might receive prompts to connect their wallets to a DApp or sign a transaction that appears harmless but grants extensive control to the attacker. Once permissions are granted, attackers can transfer funds, access private data, or exploit wallet functionalities without the user’s explicit consent.
To protect your cryptocurrency from permit phishing, there are some basic cybersecurity best practices you can implement.
While there are ways to minimize risk, there will always be malicious actors looking to ensnare crypto users. For this reason, many people prefer to quarantine more high-risk activities from the rest of their funds.
For example, airdrop hunters frequently use a dedicated wallet to collect rewards, letting them grant permissions without having to put their other assets at risk.
Ultimately, the more DApps you interact with the more risk you expose yourself to.
As more applications integrate the permit function, granting permissions is becoming normalized. After all, someone with $11 million in their wallet was probably aware of the risks. But in the end, they slipped up anyway.
Given the innate risk of interacting with smart contracts, the safest way to do so is to only fund hot wallets with the amount needed for any planned DeFi activity. For assets you plan to hold for the long term, a dedicated hardware wallet remains the most secure solution.