Meter Community Guide: PERMIT2 ERC20 token approvals and its risks

Meter Community,

We recently held a poll on Meter Telegram Chat to gauge our community understanding on the risks associated with phishing of your cryptocurrency wallets.

The correct answer to the poll is ‘No’.

We would like to take this opportunity to help our community understand the risks associated with ERC-2612 token (with permit function) and ERC20 tokens with PERMIT2 function supplement.

TLDR:

1. Verifying URLs through official channels just got more important specifically for ERC20 tokens PERMIT2 function supplement.

ERC20 Tokens and their approvals

Standard ERC-20 approval consists of

1. Maximum amount of token approval to the contract, without time limitation
2. One-time approval for first execution for each contract with a dapp

source: https://mirror.xyz/0xf9b0D66d701151366Dd32A6F0467ffF64f847156/51zh5eo-EZaopCJ8Xic7tqAGHGChEzxYWy5tWjA9zQI

The pitfalls of this approval process are

1. Poor user experience — approvals, revoking for each contract
2. Approvals are not timebound,
3. Transaction costs related to approvals

Scenarios leading to loss of tokens without user initiation

1. Approval to malicious contracts
2. Existing Approval to dapp contracts that are exploited

Safe practice to address loss of tokens

1. Keep lower token approvals, easy with low cost chains like Meter
2. Bookmark URL or only access them from Official Channels
3. Revoke approvals if you no longer use the dapp
4. Keep an eye in case of exploits related to approved dapp

ERC 2612 tokens

Users can interact with the application contract by attaching an approval signature (Permit) information in their transaction, without having to pre-approve.

source: https://mirror.xyz/0xf9b0D66d701151366Dd32A6F0467ffF64f847156/51zh5eo-EZaopCJ8Xic7tqAGHGChEzxYWy5tWjA9zQI

ERC-2612 approval consists of

1. User signs Off-chain permit to approve dapp contract and submit the signed message to the contract

The contract calls ‘permit’ method which uses submitted signature as an approval to transfer tokens

The benefits over standard ERC-20 approval process are:

1. No additional ‘approve’ transaction on-chain, lower gas costs, lower approval amounts
2. Can be timebound — Expiration time can be set during approval

The ‘permit’ function essentially grants the recipient the authority to initiate token transfers without on-chain transactions leaving room from more broader exploits than ERC20 approvals.

Scenarios leading to loss of tokens without user initiation

1. Submitting ‘token approval signature’ to any phishing website

The ERC2612 token standard is not widely adopted and is of lesser significance in the current landscape.

PERMIT2 approval model

Permit2 combines both models, extending the user experience and security advantages of EIP-2612 to also cover standard ERC20 tokens.

source: https://mirror.xyz/0xf9b0D66d701151366Dd32A6F0467ffF64f847156/51zh5eo-EZaopCJ8Xic7tqAGHGChEzxYWy5tWjA9zQI

PERMIT2 approval consists of

1. Maximum amount of token approval to the PERMIT2 function, without time limitation
2. User signs Off-chain PERMIT2 to approve dapp contract and submit the signed message to the contract

With this approval process, user is essentially tying all his token approvals to the ‘PERMIT2’ function.

Unlike phishing attacks that exploit approved authorizations, permit phishing attacks pose an even higher risk since the signature alone is sufficient for authorization.

Scenarios leading to loss of tokens without user initiation

Submitting ‘token approval signature’ to any phishing website

Since PERMIT2 is a supplement to ERC20, it is of higher significance in the current landscape.

Safe practice to address loss of tokens

1. Bookmark URL or only access them from Official Channels
2. Keep an eye while signing message for PERMIT2
3. Extra care with tokens allowing PERMIT2 supplement to the ERC20 token

Further References

1. https://twitter.com/SlowMist_Team/status/1659679952542011392
2. https://twitter.com/realScamSniffer/status/1655807591690403840

About Meter.io

Meter is a layer 1 blockchain with Freedom and Fairness as the first principle. It is highly decentralized, censorship resistant yet blazing fast and MEV resistant. Its native metastable gas token completes Satoshi’s vision of a sound money independent of the fiat system.

Meter Ecosystem

Explorer: Meter Scan | Bridge: Meter Passport | DEFI: Voltswap , Jioswap, Chee Finance, Sumer Money, Minimax Finance, GemPad, Optical Finance, iZUMi Finance | P2E: Business Builders, TreasureBlox, CryptoBlades, Zomland, DragonMaster, CryptoPolis | NFT Collections: MTRG SQUAD, Meter Punks, Meter Mallows, NFTBattles, Universal NFT | NFT Marketplace: NFTing, Voltswap, TofuNFT, Meter Town | Domains: MTRG Domains, WEB3 Names | Miscellaneous: Golucky.io, Meter Miner, Daily Coin Crypto, LlamaPay | Infrastructure/ Tooling: Meter Multisig, Defillama, POKT, Sourcify, C14 (Fiat on-ramp) | Oracles: Witnet, Band Protocol, Pyth

Meter official website and community

Website, Twitter, Telegram, LinkedIn, Reddit, Discord, Media Contact