According to Scam Sniffer, a victim parted ways with more than $11 million worth of aEthMKR and Pendle USDe tokens after signing multiple Permit phishing signatures.
Notably, the victim is a MakerDAO governance delegate, according to Arkham Intelligence.
As noted by blockchain security firm SlowMist, victims might end up facing significant losses due to signature risks.
Permit, which was enabled through EIP-2612, makes it possible to remove the need for prior authorization when interacting with smart contracts.
Notably, the feature makes it possible to generate authorization signatures without relying on on-chain transactions.
Potential victims can sign the permit for a malicious website without broadcasting it to the blockchain. Since the possession of the signature is sufficient for granting authorization, the permit carries a significant level of risk, according to SlowMist.
Bad actors can potentially deceive their victims into providing the signatures by masquerading as a legitimate website.
Determining whether a signature is compromised or not can be difficult due to the fact that transactions take place off-chain. “From our understanding, some wallets decode and display signature information to approve authorization phishing attempts, but there is a lack of sufficient warning regarding permit signature phishing, posing higher risks to users,” the firm said.