Navigating the Waters of ERC20 Token Approval and Permit Functions: Safeguarding Against Phishing…

Navigating the Waters of ERC20 Token Approval and Permit Functions: Safeguarding Against Phishing Scams

by Shayan Eskandari — Head of Security at Puffer Finance

The blockchain ecosystem, particularly Ethereum, has grown exponentially, introducing a variety of smart contract standards that enhance the functionality of tokens. Among these, the ERC20 standard for fungible tokens has become a cornerstone of the Ethereum blockchain. This blog post aims to demystify two critical aspects of ERC20 tokens — approval and permit functions — and provide best practices to prevent being scammed by phishing websites that exploit these features. We at Puffer, are aiming to make the ecosystem safer for our community and help combat the phishing campaigns that are targeted toward crypto users.

Understanding ERC20 Token Approval

The ERC20 token standard includes a function called approve, which allows token holders to give another address permission to transfer a specified amount of tokens on their behalf. This function is crucial for enabling smart contracts to interact with ERC20 tokens in a decentralized finance (DeFi) ecosystem, facilitating activities such as trading, lending, and staking.

For example, if Alice wants to use a DeFi platform to lend her tokens, she first needs to approve the platform’s smart contract to move her tokens. This is done by calling the approve function, specifying the contract’s address and the amount of tokens it is allowed to handle.

However, approving unnecessary or excessive amounts may expose your tokens to potential security risks. A common attack vector involves malicious actors creating fake versions of popular DApps (e.g. phishing), tricking unsuspecting victims into signing transactions that drain their accounts via unlimited approvals.

The Permit Function: A Secure Alternative

The permit function is a relatively newer addition that addresses some of the security concerns associated with the traditional approve method. To further enhance user experience and safety, the EIP-2612 proposal introduced the permit function. It enables off-chain signature verification, allowing users to sign messages containing transaction details without broadcasting them immediately. Once ready, users simply submit the signed message alongside a single permit call to execute multiple operations atomically.

This approach offers several benefits:

- Reduced gas costs since only one transaction is needed instead of separate approve and trade executions.
- Enhanced security due to eliminating lengthy approval periods where attackers could potentially manipulate market prices or user’s tokens might be exposed to a smart contract security vulnerability.
- Improved usability by removing the need for explicit approvals during each interaction.

Despite its advantages, implementing permits correctly remains crucial for maintaining robust security measures against phishing threats. Here are some recommendations:

- Verify Signature Requests: Never sign arbitrary messages from unknown sources. Ensure you understand what permissions you’re granting before endorsing any transactions. For many use cases, such as “Sign in with Ethereum” (similar to Puffer quest website), the message you are signing is a message that you can read in clear text on your wallet sign page, implemented ideally with a random number (timestamp, code, etc).
- Never type your seed phrase or private key: There are no legitimately safe DApps that require you to input your seed phrase.

Due to the overall benefits of Permit, many popular ERC20 contracts are supporting EIP-2612 standard, such as: DAI, UNI, USDC, and almost all newer ERC20s integrated Permit in their normal flow, such as: pufETH, stETH, eETH, and many more. OpenZepplin library has a good best practice and implementation example of how developers need to implement Permit and we at Puffer have followed the recommendation, as well as, getting the code audited by multiple vendors.

Best Practices to Avoid Phishing Scams

While the approval and permit functions are fundamental to improving the ERC20 standard user experience, they can also be exploited by phishing websites to drain funds from unsuspecting users. Here are some best practices to safeguard against such scams:

1. Verify Smart Contracts and DApps

Always ensure you’re interacting with the official website or user interface of a DeFi project. Verify the project’s smart contract address through reputable sources like Etherscan or the project’s official documentation. Modern wallets, such as Metamask, have built-in implementations to show some warning signs that will help you identify phishing websites. Pay attention to them before signing any message or transaction.

2. Limit Approval Amounts

When granting approval, only allow the minimum necessary amount of tokens that the contract needs to function. This limits your exposure if the contract turns out to be malicious or gets hacked.

3. Use Permit Function Wisely

The permit function offers a safer alternative for token approvals. However, ensure that the off-chain signature you provide is for a specific and intended operation. Never sign arbitrary messages from unknown sources. Ensure you understand what permissions you’re granting before endorsing any transactions. For many use cases, such as “Sign in with Ethereum” (similar to Puffer quest website), the message you are signing is a message that you can read in clear text on your wallet sign page, implemented ideally with a random number (timestamp, code, etc). Double-check the details of what you are signing.

4. Regularly Review and Revoke Permissions

Periodically review the approvals you’ve granted and revoke those that are no longer needed. Tools like Revoke.cash and Etherscan’s token approval checker can help you manage and revoke permissions.

5. Stay Informed and Educated

Phishing techniques constantly evolve. Stay informed about the latest security practices and threats in the DeFi space. Community forums, official project communications, and reputable crypto security resources are invaluable for staying ahead of scammers.

- Official Website: https://www.puffer.fi
- Official Twitter: https://twitter.com/puffer_finance
- Official Discord: https://discord.gg/pufferfi
- Twitter (Chinese): https://twitter.com/pufferfi_cn
- Medium: https://medium.com/@puffer.fi
- Documentation: https://docs.puffer.fi/
- Puffy’s Crunchy Carrot Quest: https://quest.puffer.fi/
- PufETH contract address: https://etherscan.io/token/0xD9A442856C234a39a81a089C06451EBAa4306a72
- Telegram (English. Subscription only): https://t.me/puffer_fi
- Telegram (Chinese): https://t.me/puffer_asia

Conclusion

The approval and permit functions of ERC20 tokens play pivotal roles in the DeFi ecosystem, enabling seamless and flexible token interactions. However, their misuse can lead to significant losses. By following best practices, verifying interactions, and using available security tools, users can enjoy the benefits of DeFi while minimizing their risk of falling victim to phishing scams. As the blockchain space continues to evolve, so too will the tools and practices for ensuring the security of our digital assets. Stay vigilant, stay informed, and navigate the DeFi waters with confidence. 🐡

*About Puffer Finance:*

Puffer is the first native Liquid Restaking Protocol (nLRP) built on EigenLayer. It introduces native Liquid Restaking Tokens (nLRTs) that accrue PoS and restaking rewards. Nodes within the protocol leverage Puffer’s anti-slashing technology to enjoy reduced risk and increased capital efficiency, while supercharging their rewards through native restaking exposure. Learn more:www.puffer.fi