SlowMist has reported that a recent attack on Ethereum is possible because of a neglected feature in Ethereum permits, which was introduced via EIP-2612. This EIP allows users to engage with smart contracts without the need for prior authorization by attaching an authorization signature. However, it has been discovered that the permit function can be executed by any account, regardless of ownership. Consequently, if users had previously compromised their wallet signatures on phishing websites, scammers could still take advantage of the permit exploit to drain tokens from their wallets, even if the users did not authorize any transactions.
Funds are returned to victim who suffered $7M loss in Ethereum re-staking exploit
Add A Comment