Build with CoinStats’ all-in-one API. Learn more

Deutsch한국어日本語中文EspañolFrançaisՀայերենNederlandsРусскийItalianoPortuguêsTürkçePortfolio TrackerSwapCryptocurrenciesPricingCrypto APIIntegrationsNewsEarnBlogNFTWidgetsDeFi Portfolio TrackerCrypto Gaming24h ReportPress KitAPI Docs
CoinStats

Not a hack: Uniswap Permit2 phishing wiped $1M with one signature

4h ago
bullish:

0

bearish:

0

Uniswap Permit2 phishing

One trader is out roughly $1 million after a phishing attack turned Uniswap’s own convenience feature against them. No protocol was hacked. No vulnerability was exploited in the traditional sense. The trader simply signed a message they shouldn’t have — and that was enough.

Key takeaways

  • A trader lost approximately $1 million after being tricked into signing a malicious Uniswap Permit2 message, granting attackers full wallet access.
  • A separate victim lost $196,000 in a similar attack involving the $VIRTUAL token.
  • Approval phishing has generated over $1 billion in reported losses since 2021 and shows no sign of slowing.
  • Chainalysis reported $14 billion in total onchain scam losses in 2025, up from $12 billion in 2024; CertiK logged $370 million from phishing alone in January 2026.
  • Tools like Revoke.cash let users audit and cancel token approvals, including Permit2 permissions — one of the most effective defenses currently available.

Massive $1 Million Loss Exposes Uniswap Permit2 Phishing Risk

The Uniswap Permit2 phishing attack that wiped out a trader’s portfolio is a reminder of how quickly a single misstep can become catastrophic in DeFi. Permit2 is a token approval contract Uniswap introduced to make DeFi more seamless. Instead of requiring a separate on-chain transaction for every token and every protocol, Permit2 allows a single off-chain signature to approve multiple token interactions at once. Convenient by design — and exploitable by the same logic.

How Permit2 Simplifies Token Approvals Yet Raises Security Stakes

Traditional ERC-20 approvals create natural checkpoints. Each token, each protocol interaction requires its own on-chain transaction, giving users repeated opportunities to reconsider. Permit2 removes those checkpoints entirely, replacing them with a single signed message. That efficiency gain is real — but so is the exposure it creates.

A single compromised signature can hand a malicious contract access to a user’s entire portfolio. There’s no second prompt. No confirmation screen. No warning. Once signed, the funds move quietly and irreversibly.

Phishing sites now routinely impersonate legitimate DeFi interfaces — airdrop claim pages, NFT minting portals, familiar-looking swap screens — all designed to surface a convincing Permit2 signature request at just the right moment.

Real-World Cases: $1 Million and $196,000 Phishing Losses

The $1 million loss is striking, but it isn’t isolated. A separate victim holding the $VIRTUAL token lost approximately $196,000 through the exact same mechanism. Different wallet, different token, same outcome: one bad signature and total loss.

What both incidents share is the absence of any technical breach on Uniswap’s end. The protocol worked exactly as designed. The attack surface wasn’t a bug — it was user behavior, engineered through deception.

That distinction matters enormously. It means protocol audits and smart contract security reviews offer almost no protection against this class of threat. The vulnerability lives between the screen and the signature.

Growing Onchain Scam Epidemic Highlights Persisting Approval Phishing

These two incidents aren’t anomalies — they’re data points in a much larger pattern. Approval phishing has quietly accumulated a devastating track record, and the broader numbers reflect a problem that continues to scale.

Crypto Crime Reports Reveal Billions Lost to Phishing and Scams

According to Chainalysis’s 2026 Crypto Crime Report, onchain scams generated at least $14 billion in losses during 2025, up from $12 billion in 2024. That’s a $2 billion year-over-year increase, driven in part by the persistence of social engineering tactics that no firewall can block.

CertiK’s data sharpens the picture further. In January 2026 alone, phishing and social engineering accounted for $370 million in total crypto losses — an extraordinary figure for a single month. One incident within that period contributed $284 million of the total.

Since 2021, approval phishing has been responsible for over $1 billion in reported losses. The cumulative damage has built steadily, largely out of the spotlight, while attention focused on more dramatic exploits.

Contrasting Trends: Decline in Wallet Drainer Losses Versus Persistent Approval Phishing

There’s a notable divergence worth understanding. Wallet drainer-related losses fell 83% in 2025, dropping to approximately $84 million — a genuine sign that targeted infrastructure takedowns and industry coordination are making a dent in that specific attack vector.

But approval phishing operates on entirely different infrastructure. Drainer scripts rely on deployable malicious contracts that security firms and exchanges can identify, flag, and blacklist. Approval phishing, by contrast, exploits legitimate protocol mechanics and user trust. Shutting down one phishing site doesn’t neutralize the technique.

This divergence creates a real risk of misread progress. The decline in drainer losses looks like a win — and it is — but it may obscure the continuing growth of a threat that’s harder to counter through technical means alone.

Operation Atlantic’s Enforcement Action Freezes $12 Million in Phishing Funds

Operation Atlantic, conducted in April 2026, resulted in the freezing of approximately $12 million tied to approval phishing schemes. Law enforcement action at this scale is meaningful, but $12 million against a backdrop of $14 billion in annual onchain scam losses illustrates the gap between what regulators can currently recover and the pace at which losses accumulate.

Defending Against Permit2 Approval Phishing Attacks

The nature of this threat means that effective defense has to happen at the user level. Protocol-layer fixes can reduce surface area, but they can’t prevent a user from signing a malicious message on a site that looks exactly like the real thing.

Tools and Best Practices to Mitigate Approval Phishing Risks

The most actionable step available is regular use of wallet revocation tools. Revoke.cash allows users to audit and cancel outstanding token approvals, including Permit2 permissions. Running a revocation check after interacting with any new or unfamiliar protocol limits the damage window significantly — if a bad approval slips through, catching it early reduces exposure.

Verifying contract addresses before signing anything is non-negotiable. Phishing sites are built to be visually indistinguishable from legitimate platforms. The contract address embedded in an approval prompt is where the truth lives, and it’s worth the extra ten seconds to check it.

A short checklist of defensive habits that matter most:

  • Verify the contract address in every signing prompt against known legitimate addresses before confirming.
  • Run regular audits with Revoke.cash or equivalent tools to cancel unnecessary or unfamiliar approvals.
  • Treat any unexpected Permit2 signature request — especially on airdrop or minting pages — as a red flag until verified.

Limits and Benefits of Hardware Wallets in Preventing Phishing Losses

Hardware wallets add a physical confirmation layer that software wallets don’t provide, and that layer has genuine value. But hardware wallets are not a complete solution when it comes to approval phishing. If a user connects a hardware wallet to a malicious site and then manually confirms a Permit2 signature request, the physical device becomes part of the attack rather than a defense against it.

The key insight is that approval phishing attacks the decision-making process, not the security architecture. Any tool that requires the user to approve a transaction can be weaponized if the user can be convinced that the transaction is legitimate. That’s a harder problem than patching a smart contract — and why education and vigilance remain the most durable defenses available right now.

FAQ

What is Uniswap’s Permit2 and why does it pose a phishing risk?

Permit2 allows users to sign a single off-chain message to approve multiple token interactions simultaneously. While this streamlines DeFi usage, it means a single malicious signature can grant an attacker broad, immediate access to a user’s entire wallet — without any additional confirmation steps.

How did phishing attackers exploit Permit2 in recent incidents?

Attackers built sites impersonating legitimate DeFi platforms and prompted users to sign Permit2 messages. Because Permit2 generates no on-chain warning or confirmation screen, victims had no indication they were authorizing a malicious contract. The result was immediate, unauthorized fund transfers — including one loss of approximately $1 million and a separate loss of around $196,000 involving the $VIRTUAL token.

What are some practical steps to protect against Permit2 approval phishing?

Users should verify contract addresses in every signing prompt before confirming, regularly audit and revoke token approvals using tools like Revoke.cash, and treat unexpected Permit2 requests with skepticism. Hardware wallets add an extra confirmation layer but do not protect against signing a malicious message on a compromised site.

How significant is the financial impact of approval phishing attacks in crypto?

Approval phishing has caused over $1 billion in reported losses since 2021. It contributed to the $14 billion in total onchain scam losses recorded by Chainalysis for 2025, and CertiK’s data shows phishing and social engineering alone caused $370 million in losses in January 2026. Despite a significant drop in wallet drainer losses, approval phishing continues to grow because it relies on different, harder-to-dismantle infrastructure.

Article produced with the assistance of artificial intelligence and reviewed by the editorial team.

4h ago
bullish:

0

bearish:

0

Manage all your crypto, NFT and DeFi from one place

Securely connect the portfolio you’re using to start.