Learn to identify and avoid Permit2 authorization phishing
Educational Purpose Only
Scammers are exploiting Uniswap's Permit2 authorization system to steal tokens from unsuspecting
users. This challenge will teach you how to identify and protect yourself from these sophisticated
phishing attacks.
In this simulation, you'll experience how scammers trick users into signing malicious Permit2
authorizations, and why simply revoking token approvals isn't enough to stay safe.
Permit2 is a token approval contract developed by Uniswap that allows for more gas-efficient
and secure token approvals. It requires a one-time approval for each token, after which
Permit2 manages permissions internally.
You've just encountered a Permit2 phishing attack. The signature request you received was
malicious!
Here's what happened:
You approved your tokens to the legitimate Permit2 contract
The phisher requested a signature for a permit inside Permit2
This would allow them to transfer your tokens using Permit2's internal permissions
Simply revoking the token approval to Permit2 would not have been enough
The key issue: Even if you revoke your token's approval to Permit2, the internal
permissions within Permit2 remain active!
Understanding Permit2 Phishing
Permit2 works differently from traditional token approvals:
Traditional Model: You directly approve tokens to specific contracts (e.g.,
Uniswap)
Permit2 Model: You approve tokens to the Permit2 contract, which then
manages permissions internally
This creates a two-layer approval system:
Token approval to Permit2 (visible in blockchain explorers)
Internal permissions within Permit2 (not visible in standard blockchain explorers)
The Vulnerability: If you only revoke the token approval to Permit2 but not the
internal permissions, attackers can still drain your tokens once you approve Permit2 again.
WETH
USDT
PEPE