Web3 Signature Phishing: Analysis of Underlying Logic and Prevention Guide

Recently, "signature phishing" has become the preferred attack method for Web3 hackers. Despite ongoing efforts by security experts and wallet companies to raise awareness, many users still fall into traps every day. This is mainly due to the lack of understanding of the underlying mechanisms of wallet interactions among most people, and the high learning threshold for non-technical individuals.

In order to help more people understand this issue, this article will explain the underlying logic of signature phishing in a simple and easy-to-understand manner.

First, we need to understand that there are two basic operations when using a wallet: "signing" and "interacting". In simple terms, signing occurs off-chain and does not require paying Gas fees; while interacting occurs on-chain and requires paying Gas fees.

A signature is typically used for authentication, such as logging into a wallet or connecting to a DApp. This process does not make any changes to the blockchain data, so there is no need to pay a fee.

Interaction involves actual on-chain operations. For example, when exchanging tokens on a certain DEX, you first need to authorize the smart contract to use your tokens, and then perform the exchange operation. Both steps require paying gas fees.

After understanding the difference between signing and interaction, let's take a look at three common phishing methods: authorization phishing, Permit signature phishing, and Permit2 signature phishing.

Authorization phishing exploits the authorization mechanism of smart contracts. Hackers create a beautifully designed website to lure users into clicking buttons like "Claim Airdrop," which actually grants the hacker's address permission to operate their tokens. This method requires paying Gas fees, so users may be more vigilant.

Phishing signatures for Permit and Permit2 are more difficult to defend against. Permit is an extension of the ERC-20 standard that allows users to authorize others to operate their tokens through signatures. Permit2 is a feature launched by a certain DEX aimed at simplifying user operations. Both phishing methods do not require users to pay Gas fees, making it easier for people to let their guard down.

Hackers can spoof websites and replace the login button with Permit or Permit2 signature requests. Once the user signs, the hacker can gain the ability to operate the user's assets.

How to prevent these phishing attacks?

1. Cultivate security awareness, and carefully check every time you operate the wallet.
2. Separate large funds from your daily use wallet to reduce potential losses.
3. Learn to recognize the signature formats of Permit and Permit2, and be particularly alert when you see the following content:
   • Interactive: Interactive URL
   • Owner: Authorizing party address
   • Spender: Authorized party address
   • Value: Authorized Quantity
   • Nonce: Random number
   • Deadline: Expiration Time

By understanding these underlying mechanisms and preventive measures, we can better protect the security of our Web3 assets.