The Objective
On October 13, 2024, a crypto holder lost $1.39 million in a single Permit2 phishing attack. The victim unknowingly signed a malicious Permit2 signature that granted the attacker unlimited spending access to their wallet. Approximately $1.1 million in PEPE tokens and $50,000 in APU tokens were drained without a single transaction being broadcast from the victim’s address.
With Bitcoin trading around $62,851 and Ethereum at $2,467 at the time, the attack served as a stark reminder that the most sophisticated threats often require nothing more than a single click. This tutorial teaches you how Permit2 phishing works, how to audit your existing token approvals, and how to revoke malicious permissions before they can be exploited.
Prerequisites
Before proceeding, ensure you have the following:
- A Web3 wallet — MetaMask, Rabby, or any EVM-compatible wallet installed as a browser extension
- Basic understanding of ERC-20 token approvals — you should know what it means to “approve” a token spend
- Access to an approval revocation tool — Revoke.cash, Unrekt, or Rabby’s built-in approval scanner
- A block explorer bookmarked — Etherscan.io or the appropriate chain explorer for the networks you use
- 15–30 minutes of uninterrupted focus — rushing through security audits leads to mistakes
Optional but recommended: a hardware wallet (Ledger or Trezor) for signing transactions on accounts holding significant value.
Step-by-Step Walkthrough
Step 1: Understand How Permit2 Exploits Work
The Permit2 system, developed by Uniswap, was designed to improve user experience by allowing gasless token approvals through off-chain signatures. Instead of broadcasting an on-chain approval transaction (which costs gas), users sign a message that authorizes spending. The problem is that malicious dApps can present these signature requests disguised as legitimate actions — “verify your wallet,” “claim your airdrop,” or “connect to proceed.”
When you sign a Permit2 approval, you are granting another address the right to spend your tokens. Unlike standard ERC-20 approvals, Permit2 approvals can include unlimited spending amounts and extended expiration periods. The attacker who stole $1.39 million on October 13 exploited exactly this mechanism — the victim signed what appeared to be a routine verification, but it was a Permit2 signature granting full token access.
Step 2: Scan Your Wallet for Active Approvals
Navigate to revoke.cash and connect your wallet. The tool will display every active token approval across all networks your wallet has interacted with. Pay close attention to:
- Unlimited approvals — any approval set to “unlimited” or an extremely high number
- Unknown contracts — addresses you do not recognize or cannot associate with a known protocol
- Permit2 entries — look specifically for approvals routed through the Uniswap Permit2 contract (0x000000000022D473030F116dDEE9F6B43aC78BA3)
- Old approvals — permissions granted months ago to contracts you no longer use
For each suspicious approval, click the contract address to view it on Etherscan. Check whether it is a verified contract belonging to a recognized protocol. If the contract is unverified or appears suspicious, it should be revoked immediately.
Step 3: Revoke Malicious or Unnecessary Approvals
On Revoke.cash, click the “Revoke” button next to each approval you want to remove. This broadcasts an on-chain transaction that sets the spending allowance back to zero. You will need to pay a small gas fee for each revocation. Prioritize:
- Any approval linked to an unknown or unverified contract
- Permit2 approvals you do not explicitly remember granting
- Unlimited approvals to any contract (revoke and re-approve with exact amounts only when needed)
If gas fees are a concern, focus on high-value tokens first. An unlimited USDT approval is more dangerous than an unlimited approval for a token worth fractions of a cent.
Step 4: Verify Revocations on the Block Explorer
After revoking, open your wallet address on Etherscan, navigate to the “Token Approvals” section (available under the Etherscan dropdown menu), and confirm that the allowances have been set to zero. Some revocation tools may show outdated data — the block explorer is the ground truth.
Step 5: Set Up Preventive Measures
Install Rabby Wallet or enable Rabby Extension alongside your primary wallet. Rabby provides real-time simulation of every transaction and signature request before you sign, showing exactly what will happen if you approve. It specifically flags Permit2 signatures and explains what permissions are being granted in plain language.
Additionally, configure Scam Sniffer as a browser extension. This tool maintains a database of known malicious dApps and will block connections to phishing sites before you interact with them. On October 13, Scam Sniffer was the entity that identified and reported the $1.39 million Permit2 phishing attack — the same type of attack you are now protected against.
Troubleshooting
Revocation transaction fails: This usually happens when the contract has a custom revoke function or when the approval was set through a proxy. Try using the contract’s “Approve” function directly on Etherscan (Write Contract tab) to set the allowance to 0.
Cannot find an approval on Revoke.cash: Some newer chains may not be indexed. Check the native block explorer for that chain, or use the chain-specific version of Revoke.cash by manually selecting the network.
Wallet was already drained: Revoke all remaining approvals immediately, move any remaining assets to a fresh wallet address, and document the transaction hashes for potential recovery efforts or insurance claims.
Mastering the Skill
Approval auditing should become a monthly habit. Set a calendar reminder to scan your wallets on Revoke.cash every 30 days. After interacting with any new dApp — especially airdrop claim sites, token bridges, or yield farming protocols — immediately review the approvals you just granted.
For maximum security, adopt the practice of using a dedicated “interaction wallet” with minimal funds for connecting to unfamiliar dApps. Keep your primary holdings in a separate wallet that never connects to any website. This compartmentalization ensures that even if a Permit2 phishing attack succeeds, the damage is limited to the small balance in your interaction wallet.
The $1.39 million stolen on October 13, 2024, was entirely preventable. A single revoked approval or a moment of caution before signing would have saved the victim’s entire portfolio. Make approval management a non-negotiable part of your crypto security routine.
This article is for educational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions. Cryptocurrency investments carry inherent risks.
This is a lifesaver! I honestly had no idea Permit2 worked differently than standard approvals. I checked my wallet and had some weird signatures from a protocol I haven’t used in months. Just revoked everything through Revoke.cash. Great guide for staying safe.
had the same thing happen last month, found a stale Permit2 sig from a testnet faucet dapp. revoked it immediately after reading about the $1.39M PEPE drain
While I appreciate the security focus, doesn’t revoking these every time just make the UX even worse? We’re trying to reach mass adoption but everything feels like a minefield. Permit2 was supposed to fix the ‘infinite approval’ problem but it seems it just moved the goalposts for phishers.
Sarah Miller UX is the real issue. Permit2 fixed gasless approvals but created a new attack surface. the tradeoff between convenience and security in crypto is brutal
Sarah Miller Permit2 fixed gasless approvals but the tradeoff is you now have infinite exposure to phishing sigs. there is no free lunch in crypto security
exactly. Permit2 gasless sigs means you can get phished without even sending a transaction. the UX improvement created a new attack vector
Super solid breakdown. Most people just sign whatever pop-up appears in Metamask without reading the call data. If you’re using Uniswap or any major DEX, you’re likely using Permit2. Definitely worth doing a weekly audit of your permissions if you’re active on-chain.
EtherMaxi_Anon weekly audit is good practice but most people wont do it. rabby wallet showing simulation before signing is probably the better UX solution
rabby simulation is nice but most people use metamask out of habit. the real fix is browsers flagging suspicious sig requests natively
rabby simulation catches most Permit2 phishing but only if you actually read the simulation output. most people click confirm without looking
Can you clarify if hardware wallets provide any extra protection against these malicious permits? I use a Ledger for everything but I’m still paranoid about signing a bad off-chain message that bypasses the hardware confirmation. Better safe than sorry I guess.
checked my wallet after reading this. found 3 stale Permit2 approvals from dapps i havent touched since january. revoked all of them in 2 minutes on revoke.cash
lol same. found a permit2 from a defi dashboard i used once 8 months ago. infinite approval on 4 tokens for a UI i barely remember using
checked mine after a similar article last month. found 6 stale approvals, 2 from contracts that dont even exist anymore. revoked everything
hardware wallets dont save you from Permit2 because its an off chain signature. your ledger confirms the sig but cant tell you if its malicious
exactly this. ledger confirms the sighash but it cant tell you what the signature authorizes. the gap between signing and understanding is where every exploit lives