- Scammers have used Uniswap’s Permit2 feature to steal over $1M in PEPE token
- The funds were drained from a PEPE holder after signing a malicious transaction
- Permit2 is a genuine Uniswap feature that eases token approvals
Malicious actors have used Permit2, a genuine Uniswap feature, to steal over $1.4 million worth of PEPE, MSTR, and APU tokens. The scammers tricked the crypto holder into signing a malicious transaction, with the tokens transferred transfer happening within an hour after the signing. Wallet drainers started misusing the Uniswap feature in 2023, indicating that scammers have nabbed more victims due to the feature also being used for genuine tasks such as easing token approvals.
One Signature Used To Transfer Multiple Tokens
According to blockchain security firm ScamSniffer, Permit2 allows the approval of multiple tokens in a wallet based on a single signature. “Once [scammers] have a victim’s signature, they can transfer multiple assets.”
Uniswap introduced Permit2. Phishing signatures based on this can gain approval for multiple tokens at once. Once they have a victim’s signature, they can transfer multiple assets. 🚨🔒 pic.twitter.com/sEsGa8dVAK
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) October 13, 2024
An analysis by ScamSniffer indicated that the PEPE holder provided a single Permit2 signature, allowing the attackers to drain other tokens in his wallet. The victim may have interacted with a compromised DApp or website that required them to sign an off-chain signature.
Being an off-chain approval, the victim didn’t see what was happening in the background until it was too late since they only realized they’d been scammed after the transaction had been finalized and recorded on the blockchain.
Scammers Are Also Using Other Tactics
In November last year, ScamSniffer revealed that malicious actors stole approximately $60 million from crypto wallets using the Permit2 feature. The blockchain security firm noted that the amount was stolen within six months.
At the time, ScamSniffer said that attackers were misusing the feature due to the ability to block notifications during token transfers. Malicious actors in the crypto space are also using other tactics like the bit-flip attack. The bit-flip attack allows malicious actors to change the instructions in a transaction after a victim has signed a transaction.
With Uniswap’s Permit2 feature doing both good and harm, it’s to be seen how the DeFi platform will address the issue.
