From Cure to Poison: Why Permit Has Become a Source of Risk

1. What is Permit?

Let’s start with a little story about borrowing money:

Imagine I want to borrow 1 million from my friend, Jack Ma. Without hesitation, Jack picks up the phone and calls the bank, confirming his identity and instructing them to authorize a withdrawal limit of 1 million for me. The bank records this authorization, and all I need to do is visit the bank, identify myself, and withdraw the authorized amount. If the bank can’t find the authorization, my request is denied.

Now, let’s explore how this process changes with a different method—Permit. In this scenario, when I ask Jack for 1 million, he casually pulls out a check, fills in the amount, signs it, and hands it to me. I take the check to the bank, and even without an authorization record, the bank cashes it based on Jack’s signature.

This illustrates the difference between Approve and Permit. Approve, an essential feature of ERC-20, has been widely used since Ethereum launched. But why was Permit introduced later through ERC-2612 to achieve the same effect?

2. Why was Permit Needed?

The ERC-2612 proposal was introduced in March 2019 and finalized in October 2022. Its development coincided with several spikes in Ethereum’s gas prices. The market’s frenzy during bull runs led users to spend more on gas fees for faster transactions, where even a one-block advantage could mean substantial profit.

However, this phenomenon created a burden for users, as the two-transaction process required for Approve became costly, especially for those with smaller funds. The introduction of Permit allowed for offline signing, eliminating the need for immediate on-chain authorization. This change meant that the authorization could be provided alongside the token transfer, akin to cashing a check without requiring prior bank approval.

While this seemed beneficial—saving Jack a phone call and reducing user transaction fees—it inadvertently opened Pandora’s box.

3. The Rapid Rise of Risks

Before Permit, hackers often relied on phishing methods that required users to sign Approve transactions, which incurred gas fees and raised red flags. Even if users accidentally clicked, the time delay for on-chain transactions allowed them to reverse the action with a new transaction.

Permit, however, changed the game. It eliminates gas fees, requiring only a signature, which lowers user vigilance. Since the signing is offline, hackers can take control and exploit the situation whenever they choose, maximizing their gains.

The impact of this shift is evident in the rising number of phishing victims and the amounts stolen. According to @ScamSniffer:

• In 2023, phishing losses reached $295 million.
• By mid-2024, that figure had already surpassed $314 million.
• In Q3 2024, a significant incident involved a wallet falling victim to a Permit phishing attack, resulting in a loss of 12,000 $spWETH, valued at approximately $30 million.

Such outcomes were likely unforeseen by the developers who proposed Permit, initially aimed at reducing gas costs and enhancing user experience. What was intended to be a double-edged sword turned out to be a sharp knife, slicing through the protective barriers around users’ assets.

Similar offline signing methods have emerged, such as Permit2 from Uniswap, which increases dependency on offline signing and amplifies phishing risks.

4. How to Protect Yourself

Facing this looming threat, users can take several precautions to mitigate losses:

1. Increase Awareness

• Stay Cautious of Airdrop Temptations: Airdrops can be enticing, but many are phishing attempts. Always verify the legitimacy of an airdrop through multiple sources before participating.
• Avoid Blind Signing: If you inadvertently enter a phishing site and a transaction window appears, scrutinize the transaction details. Terms like Permit, Permit2, Approve, or IncreaseAllowance indicate potential authorization issues, warranting caution. Hardware wallets like Keystone can help by parsing and displaying transaction details, preventing impulsive actions.

2. Utilize Tools

• ScamSniffer: This browser extension alerts users before entering suspicious URLs, allowing them to halt interactions promptly.
• Revoke: Revoke.cash displays token authorization records in your wallet, advising users to revoke any suspicious or unlimited authorizations. Regularly cleaning up authorizations minimizes risks.

3. Asset Isolation and Multi-Signature Wallets

The adage “don’t put all your eggs in one basket” applies to crypto assets as well. Store significant assets in cold wallets like Keystone, using small hot wallets for daily transactions. This way, even if one wallet is compromised, not all assets are at risk.

For added security, multi-signature wallets can provide further protection. Assets can only be accessed with a predetermined number of wallet approvals, ensuring that a single compromised wallet won’t lead to total loss.

5. Conclusion

While we cannot deny the value that Permit brings, the increasing number of thefts suggests its risks may outweigh its benefits. Similar to the once-prevalent ethsign method, which was eventually abandoned due to security concerns, Permit now faces a critical moment. Developers must thoughtfully consider whether to enhance or abandon this method moving forward.