What is Permit Signature Phishing?
Permit signature phishing exploits the EIP-2612 permit standard to steal tokens. Instead of tricking you into sending a transaction, the attacker asks you to sign a message. Signing a message costs no gas and doesn’t appear as a transaction in your wallet — but it grants the attacker a cryptographic authorization to spend your tokens on-chain later.
The attack is especially dangerous because users have been trained to treat “signing a message” as safe (used for authentication on many dApps). Permit phishing blurs the line between harmless message signing and dangerous transaction approval.
How Permit Phishing Works
1. Victim visits a fake dApp (e.g., fake airdrop claim site)
2. dApp asks: "Sign this message to verify you're human"
3. The message is actually an EIP-2612 permit:
- spender: attacker's contract
- value: unlimited (type(uint256).max)
- deadline: far future
4. Victim signs — no gas cost, no visible transaction
5. Attacker submits the permit on-chain (attacker pays gas)
6. Attacker's contract calls transferFrom() to drain victim's tokensWhy It’s Harder to Detect
Traditional approval phishing shows a transaction in your wallet with a gas estimate. Users have learned to be suspicious of unsolicited transactions. But a personal_sign or eth_signTypedData message looks like routine authentication:
| Aspect | Traditional Approve | Permit Signature |
|---|---|---|
| Wallet prompt | Transaction confirmation | Message signing |
| Gas cost | Victim pays gas | No gas (off-chain) |
| Speed | Victim notices the transaction | Silent until tokens move |
| Reversal | Can revoke approval | Permit already signed, attacker acts anytime |
The Permit2 Amplifier
Uniswap’s Permit2 contract makes this worse. Permit2 is a universal approval router — one signature can grant spending权限 over all tokens you’ve ever approved to Permit2, not just one token. Many popular dApps use Permit2, so an attacker who obtains a Permit2 signature can drain everything.
Red Flags
- “Sign this message to verify” on an unfamiliar site — legitimate verification rarely requires EIP-712 typed data signatures
- Wallet shows EIP-712 typed data with fields like
spender,value,deadline— these are permit parameters, not authentication - Site asks you to sign after connecting wallet but before you’ve initiated any action — you didn’t click “swap” or “claim,” so why is it asking for a signature?
- The domain doesn’t match the project’s official URL
How to Protect Yourself
1. Understand What You’re Signing
Modern wallets display the contents of EIP-712 messages. If you see spender, value, or allowed fields, you’re signing a permit, not a login. Reject it immediately.
2. Use Wallet Security Extensions
| Tool | How It Helps |
|---|---|
| Rabby Wallet | Simulates signatures and warns about permit phishing |
| Wallet Guard | Browser extension that flags malicious sites and signatures |
| Pocket Universe | Transaction simulation and risk scoring |
| Blockaid | Pre-transaction security scanning (integrated in some wallets) |
3. Never Sign Messages on Unfamiliar Sites
If you didn’t navigate to the site from a trusted link, don’t connect your wallet — and definitely don’t sign anything.
4. Revoke Compromised Permits
If you suspect you’ve signed a malicious permit, act fast:
- Move all tokens from the compromised wallet to a fresh wallet
- Revoke any existing approvals on revoke.cash
- Monitor the old wallet — the attacker may try to use the signed permit
Permit Phishing vs Traditional Phishing
| Aspect | Permit Phishing | Traditional Phishing |
|---|---|---|
| What’s stolen | Token approval via signature | Seed phrase or credentials |
| User action | Signs an off-chain message | Enters credentials on fake site |
| Gas paid by | Attacker (when executing) | N/A |
| Detection window | Very short — tokens move within minutes | Longer — attacker must import wallet |
Frequently Asked Questions
Q: I signed a weird message on a site. What do I do? A: Immediately move all assets from your wallet to a new one. If you signed a permit, the attacker can drain your tokens at any time — even hours or days later. Speed is critical.
Q: Can I cancel a permit signature? A: Not directly. The signed permit is a valid cryptographic authorization. Your only option is to move the tokens before the attacker uses it. Once the tokens are in a new wallet, the permit is useless.
Q: Is it safe to sign messages on legitimate dApps?
A: Yes — legitimate dApps use message signing for authentication (e.g., “Sign in to OpenSea”). The danger is when a site asks you to sign EIP-712 typed data containing spender and value fields disguised as a login.
Q: Does a hardware wallet protect against permit phishing? A: Partially. The hardware wallet displays the signature data on its screen, giving you a chance to review it. But if you approve without reading, the attack succeeds. Always check the fields on the device display.