To improve user experience on Ethereum, the “permit” function was introduced. This allows users to modify allowance without ever submitted a transaction.
However, this may just be a new attack vector for Web3.0 hackers.
The cryptocurrencies we hold on Ethereum and many other blockchains are known as “ERC-20” tokens.
These tokens, which include USDC, have many functions, including “transfer” and “transferFrom”
However, these can be manipulated by a third party to create an infinite allowance to transfer tokens.
This means a smart contract can essentially drain your wallet of a specific ERC-20 token.
Furthermore, this does not require approval of a smart contract, but simply signing a message – and often consume little to no gas fees. These innocent-looking signatures are also signed when interacting with almost any new platform.
This allows a malicious smart contract to transfer as many tokens from your wallet out, essentially draining your funds.
Avoiding Similar Exploits
While it may not be a great sign for Web3.0 that such simple attacks can siphon huge amounts of funds, it can be avoided relatively easily.
Firstly, use a cold wallet. These come in a variety, such as ledger, trezor, and more, and creates another layer of security for your Metamask accounts.
Secondly, read and understand what you are signing. Whether it be approval for a site to use your funds, access your NFTs or more, double check it before signing.
If you are unsure of singatures you have approved in the past, quickly revoke them through Metamask or other third party sites such as revoke.cash.
lastly, use an eye test on the site your are interacting with. Is it a known platform? Do they have previous users and a large following?
If not, it may be good to stay away from interacting with contracts on their site till you can verify their authenticity. One good way to do this is to use sites like scamadvisor to see whether a website is legitimate.
Also Read: How Do Bridges And Networks Get Hacked? Understanding 51% Attacks
[Editor’s Note: This article does not represent financial advice. Please do your own research before investing.]
Featured Image Credit: Forkast