Permit2 Phishing
What is Permit2 Phishing?
Permit2 PhishingPermit2 phishing tricks an Ethereum user into signing a Uniswap Permit2 off-chain message that grants an attacker the right to transfer the victim's ERC-20 tokens.
Uniswap's Permit2 is a singleton contract that lets users approve token transfers via gasless EIP-712 signatures, with per-token or per-spender allowances and expirations. Attackers exploit this by hosting fake DeFi or NFT sites that prompt the wallet to sign a Permit2 PermitTransferFrom or PermitBatch message; if signed, the attacker can later call Permit2 to drain the approved tokens without any on-chain transaction from the victim. Because signing looks free and the prompt is just an off-chain message, victims often miss the risk. Defences include wallet UX that decodes EIP-712 payloads, hardware-wallet display of token names and amounts, allowance scanners (Revoke.cash), and never signing prompts you do not fully recognize.
● Examples
- 01
A fake airdrop page asks the user to 'verify wallet' via a Permit2 signature that authorizes draining USDC and DAI.
- 02
An attacker chains a single Permit2 signature into batched transfers across multiple ERC-20 tokens.
● Frequently asked questions
What is Permit2 Phishing?
Permit2 phishing tricks an Ethereum user into signing a Uniswap Permit2 off-chain message that grants an attacker the right to transfer the victim's ERC-20 tokens. It belongs to the Web3 & Blockchain category of cybersecurity.
What does Permit2 Phishing mean?
Permit2 phishing tricks an Ethereum user into signing a Uniswap Permit2 off-chain message that grants an attacker the right to transfer the victim's ERC-20 tokens.
How does Permit2 Phishing work?
Uniswap's Permit2 is a singleton contract that lets users approve token transfers via gasless EIP-712 signatures, with per-token or per-spender allowances and expirations. Attackers exploit this by hosting fake DeFi or NFT sites that prompt the wallet to sign a Permit2 PermitTransferFrom or PermitBatch message; if signed, the attacker can later call Permit2 to drain the approved tokens without any on-chain transaction from the victim. Because signing looks free and the prompt is just an off-chain message, victims often miss the risk. Defences include wallet UX that decodes EIP-712 payloads, hardware-wallet display of token names and amounts, allowance scanners (Revoke.cash), and never signing prompts you do not fully recognize.
How do you defend against Permit2 Phishing?
Defences for Permit2 Phishing typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Permit2 Phishing?
Common alternative names include: Uniswap Permit2 phishing, EIP-712 phishing.
● Related terms
- web3№ 016
Address Poisoning
Address poisoning seeds a victim's transaction history with attacker-controlled lookalike addresses so they later copy-paste the wrong one and send funds to the attacker.
- web3№ 181
Clipboard Hijacker
A clipboard hijacker (crypto clipper) is malware that watches the OS clipboard and silently substitutes a victim's copied cryptocurrency address with one controlled by the attacker.
- web3№ 1221
Wallet Drainer
Malicious software or a phishing kit that tricks crypto-wallet users into signing transactions or approvals that hand over all valuable tokens and NFTs.
- web3№ 243
Cryptocurrency Mixer / Tumbler
A cryptocurrency mixer (or tumbler) pools and shuffles deposits from many users so that on-chain links between source and destination addresses are obscured.
- attacks№ 821
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.