ERC-20 tokens are among the most frequently stolen assets in the crypto industry, and even some of the updates intended to fix the issues are inadvertently facilitating theft.
Uniswap’s “Permit2” — a smart contract launched in 2022 — aims to improve transactions by allowing users to grant batch token approvals to DApps. This eliminates the need for separate approvals for each transaction, saving gas fees in the process. There is a discrepancy between Ethereum’s native currency, Ether, and ERC-20 tokens, particularly in how they interact with smart contracts.
Alice can raise the amount of approved tokens by first setting the allowance to zero and then approving 800 tokens. In this hypothetical scenario, a malicious actor can initiate a transaction in the brief period before the reset to zero and before the new allowance, spending more tokens than Alice intends.
In a scam, illicit actors may send phishing messages asking users to increase their token allowance for seemingly valid reasons — like a phony update that requires higher allowances for users to continue enjoying services without disruptions or a fake security measure that requires users to increase approved tokens.
“Some security researchers are even more arrogant to say it’s ‘a stupid user issue’ or something ‘wallet and front-end developers should fix’ pushing the problem they caused to someone else,” Ohtamaa says.Increasingly though, anyone and everyone transacting regularly in the Ethereum ecosystem is starting to fall victim to the ubiquitous scams.