The Underlying Principles of Web3 Signature Phishing and Prevention Measures

Recently, "signature phishing" has become one of the most common scam tactics used by Web3 hackers. Despite security experts and wallet companies continuously promoting relevant knowledge, many users still fall into traps every day. One important reason for this situation is that most people lack an understanding of the underlying logic of wallet interactions, and the learning curve is high for non-technical individuals.

In order to help more people understand this issue, this article will explain the underlying logic of signature phishing in a simple and easy-to-understand manner.

Two Basic Types of Wallet Operations

When using a cryptocurrency wallet, we mainly have two operations: "signing" and "interacting".

• Signature: Occurs outside the blockchain (off-chain), no Gas fees are required.
• Interaction: Occurs on the blockchain (on-chain) and requires payment of Gas fees.

Signatures are typically used for authentication, such as logging into a wallet or connecting to a DApp. This process does not change any data or state on the blockchain, so there is no cost involved.

Interaction involves actual blockchain operations. For example, when swapping tokens on a DEX, you first need to authorize the smart contract to use your tokens (approve), and then execute the actual swap operation. Both of these steps require paying Gas fees.

Common Phishing Methods

1. Authorized Phishing

This is a traditional Web3 phishing technique. Hackers usually create a website disguised as a legitimate project to lure users into clicking buttons like "Claim Airdrop." In reality, after clicking, users will be asked to approve the hacker's address to use their tokens.

Although this method requires paying Gas fees, there are still users who may accidentally fall for it.

2. Permit signature phishing

Permit is an extension feature of the ERC-20 standard that allows users to authorize others to use their tokens through a signature. Unlike traditional authorization, Permit does not require users to pay Gas fees.

Hackers can exploit this mechanism to lure users into signing a seemingly harmless message, which is actually a Permit that authorizes the hacker to use the user's tokens.

3. Permit2 signature phishing

Permit2 is a feature launched by a certain DEX, aimed at simplifying user operations and saving Gas fees. Users can authorize a large amount to the Permit2 smart contract in one go, after which they only need to sign for each transaction, and the Gas fees are paid by the contract (deducted from the final exchanged tokens).

However, this also provides new attack vectors for hackers. If users have ever used this DEX and authorized an unlimited amount to the Permit2 contract, hackers can induce users to sign and transfer their tokens.

Preventive Measures

1. Increase security awareness: Every time you perform a wallet operation, you should carefully check the specific action you are executing.

2. Fund Separation: Separate large funds from the wallet used for daily transactions to reduce potential losses.

3. Learn to recognize the signature formats of Permit and Permit2: Be especially cautious when you see signature requests containing the following information:

   • Interactive: Interactive website
   • Owner: Authorizing party address
   • Spender: Authorized party address
   • Value: Authorized Quantity
   • Nonce: random number
   • Deadline: Expiration Time

By understanding these underlying mechanisms and taking appropriate precautions, users can significantly reduce the risk of becoming victims of signature phishing. In the Web3 world, staying vigilant and continuously learning is key to protecting one's assets.