Home / News / Crypto / Ethereum / Maker Token Falls 9% After $11M Exploit: What is Permit Phishing and How Can Users Protect Themselves?
5 min read

Maker Token Falls 9% After $11M Exploit: What is Permit Phishing and How Can Users Protect Themselves?

Published June 24, 2024 1:36 PM
James Morales
Published June 24, 2024 1:36 PM

Key Takeaways

  • The price of Maker Token has declined by more than 9% since Sunday following the theft of $8.7 million worth of MKR.
  • The exploited wallet signed multiple fraudulent permits.
  • Ethereum’s permit function allows users to grant other parties permission to initiate transactions from their wallets.

Navigating security threats is one of the most important skills crypto users need to master. A recent phishing exploit proves that even seasoned traders can be vulnerable.

On Sunday, June 23, an Ethereum wallet lost crypto worth $11.1 million to a permit phishing attack. The stolen assets included $2.4 million in Ethena’s USDe and 3,657 Maker Tokens worth $8.7 million – enough to cause the price of MKR to crash.

MKR Crashes Following Exploit

First reported by Scam Sniffer, Sunday’s exploit catalyzed a significant downward slide in the price of Maker Token, which has fallen more than 9% in the past 24 hours.

Equivalent to around 0.55% of the cryptocurrency’s market capitalization, the stolen funds were quickly swapped for ETH, creating enough selling pressure to impact the price of MKR.

The owner of the affected wallet appears to have signed multiple fraudulent transactions, causing the loss of their funds through a tactic known as permit phishing.

Understanding Permit Phishing

Permit phishing is a form of cyberattack where malicious actors deceive users into granting unauthorized permissions to their crypto wallets. 

Unlike traditional phishing, which aims to steal credentials, permit phishing manipulates users into approving transactions or permissions that enable attackers to drain their wallets or execute other harmful actions.

Ethereum Functions: Permit vs. Approve

In the context of Ethereum, phishing attacks exploit the “permit” function introduced by EIP-2612 , which lets users approve ERC-20 transactions with off-chain signatures, eliminating the need for a separate blockchain entry for each token transfer.

Whereas the original “approve” function, the permit function lets users grant permission to other parties to spend their tokens in a single transaction. Various decentralized applications (DApps) use the function to streamline the user experience, reduce gas fees and improve security.

However, if malicious permits are improved, it can compromise all the tokens kept in the affected wallet. 

Phishing attempts typically occur through seemingly legitimate websites or applications. Users might receive prompts to connect their wallets to a DApp or sign a transaction that appears harmless but grants extensive control to the attacker. Once permissions are granted, attackers can transfer funds, access private data, or exploit wallet functionalities without the user’s explicit consent.

Protecting Yourself from Permit Phishing

To protect your cryptocurrency from permit phishing, there are some basic cybersecurity best practices you can implement.

  1. Verify URLs and Sources: Always double-check the URL of the site or application you are interacting with. Ensure it matches the official address of the service. Avoid clicking on links from unknown or suspicious sources.
  2. Use Trusted Wallets and Extensions: Opt for well-known and reputable wallet providers. Ensure you download wallets and extensions from official sources, such as the provider’s website or verified app stores.
  3. Check Permissions Carefully: Before approving any transaction or permission request, review the details thoroughly. Be cautious of any request that seems overly broad or unnecessary for the intended action.
  4. Enable Security Features: Utilize security features provided by your wallet, such as two-factor authentication (2FA), biometric verification, and transaction alerts. These can add an additional layer of security.
  5. Regularly Revoke Unused Permissions: Periodically review and revoke permissions granted to dApps and services that you no longer use. Tools like Etherscan’s token approval checker can help you manage permissions effectively.

Mitigating Hot Wallet Risks

While there are ways to minimize risk, there will always be malicious actors looking to ensnare crypto users.  For this reason, many people prefer to quarantine more high-risk activities from the rest of their funds. 

For example, airdrop hunters frequently use a dedicated wallet to collect rewards, letting them grant permissions without having to put their other assets at risk. 

Ultimately, the more DApps you interact with the more risk you expose yourself to.

As more applications integrate the permit function, granting permissions is becoming normalized. After all, someone with $11 million in their wallet was probably aware of the risks. But in the end, they slipped up anyway.

Given the innate risk of interacting with smart contracts, the safest way to do so is to only fund hot wallets with the amount needed for any planned DeFi activity. For assets you plan to hold for the long term, a dedicated hardware wallet remains the most secure solution.

Was this Article helpful? Yes No