I recall someone in the group once shared a wise saying: “If you don’t know who’s generating the profits, then you are the one generating them.” This really resonates with me. The same principle applies to the security of using crypto wallets. If you’re unsure what a specific action entails, then every on-chain interaction or signature you make could risk the loss of your wallet’s assets.

Recently, Scam Sniffer released a mid-2024 phishing report: In just the first half of this year, 260,000 victims were phished on EVM chains (Ethereum-based chains), leading to losses totaling $314 million. To put this in perspective, that’s already surpassed the $295 million lost in phishing attacks in all of 2023, and it only took six months to reach this figure, as shown in the chart below.

The report highlights that most ERC20 token thefts occur from signing phishing signatures, such as Permit (offline authorization signatures), Increase Allowance (expanding authorization limits), and Uniswap Permit2. Phishing attacks clearly remain a significant vulnerability in on-chain security.

A few days ago, a friend encountered an issue. Two months ago, on June 14, they made three transfers from their Coinbase Wallet to Binance (Ethereum chain transfers). The first transfer went through successfully, but the other two never arrived, and it’s now been two months. What could have gone wrong?

I checked the transaction records on Etherscan and found only one transfer, with no trace of the other two, as shown in the image below.

Looking more closely at all the on-chain transactions from June 14, I did find three transfer attempts, but the last two were marked as failed transactions, as shown in the image below.

I then clicked on one of the failed transactions (marked as “Fail”) to see what went wrong. The error message said, “Error encountered during contract execution.” According to Etherscan’s official documentation, this type of error shouldn’t result in a loss of assets from the wallet. The tokens never leave the sender’s wallet in such cases, though the gas fees are still deducted. This is illustrated in the image below.

To address this kind of issue, here’s what needs to be confirmed:

-Check whether the funds were actually transferred or lost from the wallet on that day (i.e., if the failed transaction didn’t result in the funds returning to the wallet).

-If it’s confirmed that the assets have been transferred or lost, you might need to reach out to the customer support of the relevant platform. In such cases, it’s best to contact the platform responsible for sending or initiating the withdrawal, as the receiving platform or address won’t be able to resolve the issue.

Given this, my usual recommendation is that it’s a good idea to keep a detailed transaction log, such as using Excel to track your daily transactions (buy/sell) and your cash flow (income/expenses). This way, if any issues arise, you can compare the log with the on-chain transaction records for cross-verification. I actually keep such a log myself, recording every transaction in detail. I also add notes on my experiences or thoughts on certain transactions.

At this point, the issue seems to be mostly understood. However, while reviewing the on-chain transaction history, I found an even more serious problem with this friend’s wallet—it’s been targeted by hackers!

What happened? Let’s take a closer look (as shown in the image below):

Let’s first look at the red box in the image (a legitimate transaction):

The wallet owner had just completed a $10,000 swap and transferred the USDT to a wallet beginning with 0x8F and ending with f103.

Now, check the green box (a phishing transaction):

Immediately after, the hacker created several fake transactions. Interestingly, the hacker’s wallet address also begins with 0x8F and ends with f103.

Let’s compare the wallet addresses more closely:

The wallet owner’s real address is:

0x8F773C2E1bF81cbA8ee71CBb8d33249Be6e5f103

The hacker’s wallet addresses are:

0x8F7cCF79d497feDa14eD09F55d2c511001E5f103

0x8F776d5623F778Ea061efcA240912f9643fdf103

Notice the issue? The first four and last four characters of these addresses are identical, making them look nearly the same at a quick glance. If you copy and paste an address directly from the transaction history without double-checking, you could easily end up sending money straight to the hacker.

So, it’s clear this wallet has indeed been targeted by a hacker trying to phish assets. What’s more, the transaction hash page confirms this—Transaction Action is flagged as Fake_Phishing, which leaves no doubt that this is a hacker’s address. See the image below for reference.

Quick Tip: Why can’t you see invalid transactions or zero-value transfers on Etherscan? How can you switch the Ethereum browser to Simplified Chinese?

By default, Etherscan hides invalid transactions and zero-value transfers. If you want to view them, simply go to the settings page on Etherscan and enable advanced options. Similarly, if you prefer using the interface in Simplified Chinese, you can also adjust this in the settings. See the image below for reference. Alternatively, you can use third-party multi-chain explorers like Oklink, which also support Simplified Chinese.

Wallet security is something that definitely requires close attention, especially for wallets holding significant assets (over $1 million). It’s a good idea to distribute your funds across different wallets based on their purpose to enhance safety. Here’s how I personally organize my wallets into tiers:

Tier 1: A cold wallet set up on an Apple phone, strictly for long-term storage. It’s kept offline and never used for any transactions or transfers. I plan on holding these assets for at least 10 years without touching them. If you want to use a cold wallet for transactions, you could look into purchasing well-known hardware wallets through reputable channels (like Trezor, Ledger, etc.).

Tier 2: A hot wallet for larger sums. I use Trust Wallet and don’t grant any dApp permissions. This wallet is used only for transferring between my own wallets and withdrawals or transfers to Binance.

Tier 3: Dozens of small wallets, some for testing purposes (such as interacting with new projects to try out their features or occasionally snag an airdrop), while others were used for buying altcoins or meme tokens (though I’ve done less of this in recent years). Each wallet only holds small amounts, ranging from a few hundred to a few thousand dollars. I’m more relaxed about authorizations and signatures with these wallets, and even if one gets hacked, it’s not a big deal. Managing all these wallets can seem like a hassle, but it’s worth it for the added security.

In summary, everyone has their own preferences for how they manage their wallets, depending on their situation. Seasoned crypto users often prefer keeping their assets on-chain, but for most newcomers, it’s actually safer to store assets (under $100,000) on major platforms like Binance or OKX.

Now, let’s walk through a few common phishing tactics:

1.Permit phishing attack

To start, let’s explain some basic concepts: When you transfer tokens on Ethereum, you usually interact with the token’s smart contract using the Transfer function or the Transfer From function. The Transfer function is used when the owner directly authorizes the transfer of tokens to another address, while Transfer From allows a third party to move tokens from one address to another.

Here’s how a Permit Phishing Attack works:

First, the attacker tricks the victim into clicking a phishing link or visiting a fake website, prompting them to sign a wallet transaction (off-chain).

Then, the attacker uses the Permit function to gain authorization.

Finally, the attacker calls the Transfer From function to move the victim’s assets, completing the phishing attack.

This phishing method has a key characteristic: after the attacker gains access to your signature authorization, they can execute the Permit and Transfer From operations. The important thing to note is that the authorization won’t show up in the victim’s on-chain transaction history, but it will be visible in the attacker’s address activity.

Typically, these kinds of signature phishing attacks are one-time events, meaning they don’t pose an ongoing phishing threat. In simpler terms: a signature phishing attack cannot steal your wallet’s mnemonic phrase (or private key). Each phishing attempt only allows the hacker to use the authorization once, and it only affects the token and blockchain you authorized (for example, if you authorized USDT, the hacker can only take your USDT). In other words, a single phishing signature gives the hacker a one-time opportunity, unless you make the mistake of signing again in the future, giving them another chance to exploit your wallet.

(Image credit: bocaibocai@wzxznl)

2.Uniswap Permit2 phishing attack

This phishing method is similar to the previously mentioned Permit attack, both involving off-chain signature phishing. Uniswap Permit2 is a smart contract introduced by Uniswap in 2022. According to Uniswap, it’s a token approval contract designed to allow token permissions to be shared and managed across different applications, providing a more seamless, cost-effective, and secure user experience. Many projects have now integrated Permit2.

Recently, I read a few articles by bocaibocai (X@wzxznl) to dive deeper into the mechanics of Permit2 phishing attacks. Here’s a quick summary:

When you want to perform a swap on a decentralized exchange (DEX), the traditional process requires you to first Approve the DEX to access your tokens and then perform the swap. This usually means paying gas fees twice, which can be inconvenient for users. Permit2 simplifies this process by skipping the extra approval step, effectively reducing interaction costs and improving the overall user experience.

Essentially, Permit2 serves as a middleman between users and dApps. Once users authorize Permit2, any dApp integrated with Permit2 can share that authorization limit. This not only reduces costs and streamlines the process for users but also helps dApps attract more users and liquidity due to the enhanced experience.

What seemed like a win-win situation can also turn into a double-edged sword. Traditionally, both authorizations and fund transfers involve on-chain actions by the user. But with Permit2, the user’s interaction is reduced to an off-chain signature, while intermediaries like the Permit2 contract or projects integrated with it handle the on-chain operations. This shift offers advantages by reducing on-chain friction for users, but it also presents risks. Off-chain signatures are where users often lower their defenses. For instance, when connecting a wallet to certain dApps, users are prompted to sign something, but most don’t carefully examine or understand the signature content (which often looks like a jumble of code). This lack of scrutiny can be dangerous.

Another major concern is that Permit2 by default authorizes access to your entire token balance, no matter how much you plan to swap. While wallets like MetaMask allow you to set a custom limit, most users will likely just click “max” or use the default setting. The default for Permit2 is an unlimited authorization, which is particularly risky. See the image below for reference.

This essentially means that if you’ve interacted with Uniswap and granted an allowance to the Permit2 contract, you’re vulnerable to this phishing scam.

For instance, let’s say Xiao Li used Uniswap and authorized an unlimited amount of USDT to the Permit2 contract. Later, while doing routine wallet transactions, Xiao Li unknowingly fell into a phishing trap involving Permit2. Once the hacker got Xiao Li’s signature, they could use it to perform two key operations on the Permit2 contract—Permit and Transfer From—to steal Xiao Li’s assets.

Here’s how this phishing attack works:

Before the phishing attempt, the user had already used Uniswap and granted token permissions to the Uniswap Permit2 contract (with an unlimited allowance by default).

The attacker then creates a fake phishing link or website, tricking the user into signing a transaction. Once the signature is captured, the hacker obtains all the information they need (this step is similar to Permit phishing).

Using this, the attacker calls the Permit function in the Permit2 contract, completing the authorization.

Finally, the attacker calls the Transfer From function within the Permit2 contract to transfer the victim’s assets, completing the phishing attack.

Typically, these attacks involve multiple receiving addresses. Some are used solely for phishing operations (and may even be crafted to look like the victim’s address with similar characters at the start and end), while others belong to organized phishing rings (for instance, DaaS providers). The phishing industry targeting crypto wallets seems to have developed into a full-scale underground market. See the image below.

How can you protect yourself from Permit and Permit2 phishing attacks?

One option is to use browser security plugins like Scamsniffer (I’ve been using this on my Google Chrome) to block phishing links. Additionally, you can regularly check and revoke any unnecessary or suspicious authorizations or signatures with tools like Revoke Cash. See the image below for an example.

You could also use a specialized authorization management tool from Scamsniffer, designed specifically for Uniswap Permit2, to regularly review your authorizations. If anything looks unusual, it’s important to revoke the permissions immediately. See the image below.

That said, the most crucial aspect is maintaining strong security awareness. Avoid visiting unknown websites or links, and when interacting with dApps, always double-check what you’re authorizing.

(Image credit: bocaibocai@wzxznl)

Quick Tip: How can you tell if a wallet signature is for Permit or Permit2?

When signing, you’ll see some details in the authorization confirmation window. You can identify the type of signature by looking at key fields like those shown in the image below:

Owner (the address giving authorization); Spender (the address receiving authorization); Value (the authorized amount); Nonce (a unique random number); Deadline (the expiration date).

3.Claim phishing attack

This type of phishing is very common. For example, if you browse X (formerly Twitter) frequently, you’ll likely come across messages offering “free airdrops.” Sometimes, you might even find random NFTs mysteriously dropped into your wallet (which might include a website link).

If you click on a phishing website and proceed with a Claim action, the assets in your wallet could be immediately stolen by the hacker.

How can you protect yourself?

First, don’t fall for “too good to be true” offers (avoid clicking on suspicious links or accepting unknown free NFTs and airdrops). Second, always double-check the website you’re using to ensure it’s the legitimate official site before performing any claim operations.

4. Similar address transfer phishing

On May 3rd of this year, a crypto whale fell victim to a phishing attack using a similar address, losing 1,155 WBTC (worth approximately $70 million at the time).

SlowMist previously analyzed this event in detail, so I won’t repeat the specifics here. If you’re curious, you can revisit the case here:

https://mp.weixin.qq.com/s/mQch5pEg1fmJsMbiOClwOg

This type of phishing is relatively straightforward:

First, the hacker generates a large number of deceptive phishing addresses that closely resemble the victim’s intended address, often matching the first 4 and last 6 characters.

Next, they deploy a batch program to monitor the victim’s on-chain activities and then launch a phishing attack by sending a similar address right before the intended transaction.

Finally, when the victim makes a transfer, the hacker uses the similar-looking address to send a transaction right after. This way, the phishing address appears in the user’s transaction history. See the image below.

Because many users have a habit of copying transaction details from their wallet history, they might see the phishing transaction that closely follows their own and not realize they’ve copied the wrong address. Without carefully checking, they could end up mistakenly sending 1,155 WBTC to the phishing address.

How can you prevent this?

First, save commonly used addresses in your wallet’s address book (or whitelist them), so next time, you can select the correct address from the list. Second, always double-check the full address before transferring funds—don’t rely on just the first or last few characters. When making a large transfer, it’s a good idea to send a small test transaction first to ensure everything is correct.

5. Authorized signature phishing

The Permit, Uniswap Permit2, and Claim methods mentioned earlier all fall under the umbrella of authorization phishing. In fact, there are many ways hackers can exploit wallet authorizations, such as with Approve (granting permission to let a platform like Uniswap use your USDT) and Increase Allowance (raising the limit on how much can be spent).

The phishing process usually involves the attacker setting up a fake link or website or even hacking an official project site and embedding malware, which tricks users into clicking and unknowingly granting wallet authorization.

The five phishing methods discussed are just some of the more common ones. Hackers are constantly coming up with new and creative attack methods. As the saying goes, “Hackers will always stay one step ahead.” This means that wallet security is an ongoing challenge, and users need to stay vigilant at all times.

Disclaimer：

1. This article is reprinted from [话李话外] with title “你的钱包还安全吗？黑客是如何利用Permit、Uniswap Permit2、授权签名进行钓鱼的（Is your wallet safe? How hackers exploit Permit, Uniswap Permit2, and signatures for phishing.）”, All copyrights belong to the original author [话李话外]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.

2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.

3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned Gate.io, copying, distributing, or plagiarizing the translated articles is prohibited.