Yu Xian, founder of blockchain security company SlowMist, noted that the victim did not recognize the danger because the transaction required no gas fees. He wrote:
“From the victim’s perspective, he just clicked a few times to confirm the wallet’s pop-up signature requests, didn’t spend a single penny of gas, and $6.28 million was gone.”
Permit approvals were originally designed to simplify token transfers. Instead of submitting an on-chain approval and paying fees, a user can sign an off-chain message authorizing a spender.
That efficiency, however, has created a new attack surface for malicious players.
Once a user signs such a permit, attackers can combine two functions—Permit and TransferFrom—to drain assets directly. Because the authorization takes place off-chain, wallet dashboards show no unusual activity until the funds move.
As a result, the assets are gone when the approval executes on-chain, and tokens are redirected to the attacker’s wallet.
This loophole has made permit exploits increasingly attractive for malicious actors, who can siphon millions without needing complex hacks or high-cost gas wars.
The latest theft highlights a wider trend of escalating phishing campaigns.
According to the firm, the most significant share of August’s damages came from three large accounts that accounted for nearly half of the total. This included one wallet that lost $3.08 million in a single exploit.
Considering this, security experts have urged crypto users to be cautious when interacting with wallet requests and refuse demands that grant unlimited permissions to their wallets.
