Understanding ERC-20 Permit and Associated Risks

5 min read

Learn how the ERC-20 permit cuts token transfer costs but facilitates phishing attempts.

The traditional process of transferring ERC-20 tokens has presented several challenges like the requirement of ETH for paying gas fees. Additionally, the standard token transfer process involves a rigorous procedure, adding complexity, increasing transaction fees, and delaying interactions with dApps.

EIP-2612 (ERC-20 permit) has been established as a standard for performing gasless token transfers, thereby eliminating the need for users to hold ETH for gas. However, it has opened a new avenue for malicious actors to gain access to users' tokens through sophisticated phishing schemes.

This blog aims to delve into the intricacies of EIP-2612, explaining how it works and the risks associated with the permit function.

Understanding EIP-2612#

EIP-2612 introduces a feature called "permit" for ERC-20 tokens. This lets users approve token transactions without making a separate blockchain transaction each time. It uses off-chain signatures, meaning you can give permission away from the blockchain while still keeping it secure. This makes handling ERC-20 tokens easier and cheaper.

The permit function lets a token owner sign a message off the blockchain that allows someone else to move a set amount of tokens from the owner's account. This signature, which is done off the blockchain, includes all the details like how much, to whom, and how long the permission lasts. It makes sure the transaction is safe and clear.

Traditionally, ERC-20 token transfers to a contract require a two-step process:

Approval: The token holder submits a transaction to the token contract, calling the approve function to allow a specific contract (the spender) to transfer up to a certain amount of tokens on their behalf. This transaction incurs gas fees and must be confirmed on the blockchain before proceeding.

Transfer: Once the approval is confirmed, the spender can initiate the transfer of tokens by calling the ‘transferFrom’ function, which moves the approved amount of tokens from the holder's account to another account, as specified by the spender.

EIP-2612 streamlines this into a single-step process by using the permit function. Instead of executing an on-chain transaction for approval, the token holder signs an off-chain message that approves the spender to transfer a specific amount of tokens. The spender or a third party can then submit this signature directly to the contract in a single transaction that also executes the transfer.

The introduction of the permit function has several advantages:

  • Reduced Gas Costs: By eliminating the need for an on-chain approval transaction, users save on gas fees, making token transfers more cost-effective.
  • Improved User Experience: The process becomes faster and more straightforward, enhancing usability, especially for users unfamiliar with the complexities of blockchain transactions.
  • Increased Security and Flexibility: The use of EIP-712 for signing data ensures that signatures are secure and cannot be reused maliciously. Additionally, the inclusion of parameters like a deadline for the permit's validity adds an extra layer of security and control for the token holder.

Overview of Permit2#

The introduction of a "Permit" function has been a game-changer for many because of its streamlined and gas-efficient token transaction. However, a significant challenge arises from the fact that not all ERC20 tokens support this "Permit" functionality. This difference has led to the exploration of solutions that can universally apply this convenience across the board.

One proposed solution is to update the existing ERC20 standard to include the "Permit" methods, requiring all tokens to integrate this feature. However, given the vast number of ERC20 tokens already in circulation, altering the standard could lead to complications and resistance from the community.

An alternative approach involves the creation of a central smart contract that acts as an intermediary between token holders and dApps. This central smart contract would allow users to approve their tokens once for all future transactions with any dApp connected to this system. This method presents a win-win scenario: it bypasses the need to modify existing tokens or standards and offers a seamless, gasless interaction with dApps, significantly improving the user experience.

Uniswap has adopted this approach and labeled it ‘Permit2’.

How the ERC20 Permit Is Enabling Phishing Scams#

You might have understood that the ERC20 permit has provided lots of advantages in terms of user experience, reduced gas costs, and flexibility. However, there are some downsides to it as well. There are evident cases of users being victims of phishing attacks utilizing the permit function.

In this phishing scheme, attackers deceive token holders into signing a seemingly harmless authorization. In reality, it grants the attackers permission to transfer the victim's tokens to their own accounts.

The attackers craft a fake signature request, mimicking the legitimate EIP2612 permit functionality, to trick the victim into signing a permit that apparently authorizes a simple action. This signature actually grants the attackers permission to access their tokens. Once the signature is obtained, the attackers use it to invoke the permit() method of the Permit2 smart contract, effectively granting themselves the authority to move the victim's tokens. With this permission in hand, they then call the transferFrom() method to transfer the tokens to their own account, completing the theft.

According to Scam Sniffer, a Web3 anti-scam platform, over $55 million was lost to phishing attacks in January 2024. Scam Sniffer also concluded that most of the thefts are due to signed ERC20 permits. Apparently, the attackers impersonated the X (Twitter) accounts of several projects and enticed victims to phishing websites through comments. In addition to that, Create2 was utilized to generate temporary addresses for each malicious signature.

About Neptune Mutual#

Let us introduce Neptune Mutual, an innovative project created on Ethereum to enhance users' security in the DeFi sector. It is a DeFi insurance protocol that covers users' funds from several kinds of threats and risks in the DeFi space.

If you're an individual in need of safeguarding your assets from threats such as phishing, smart contract vulnerabilities, rug pulls, and so on, you can purchase covers from our cover marketplace.

One of the best things about Neptune Mutual is that it operates on a parametric model. This means that payouts are based on predefined parameters rather than lengthy claim verification. If you're hacked, you become eligible to receive payouts without the need to provide proof of loss. Obviously, the incident needs to match the predefined parameters to be applicable for the payout.

We offer a marketplace where projects can create cover pools for their products. If you have a DeFi project and need to protect its users, you can create your own cover pool in our marketplace. Reach us through our contact page so that we can help you create the cover pools and set parameters as per your requirements.

To know more about Neptune Mutual, follow us on X (Twitter) and join our Discord chat.