On February 23, 2026, a sophisticated phishing attack resulted in the loss of 17.94 XAUt (Tether Gold), valued at approximately $92,000. While many hacks involve complex smart contract bugs, this one exploited a standard feature designed for user convenience: the ERC-20 permit function (EIP-2612).
The victim's wallet (0x151D5F9c...D50023) was drained in two transactions following a single malicious signature.
The Technical Context: What is permit?
Traditionally, to allow a contract to spend tokens, a user must call approve(). This is an on-chain transaction that costs gas.
To improve UX, EIP-2612 introduced the permit function. It allows a user to sign an off-chain message (structured data) that can be submitted to the blockchain by a third party (the "relayer") to update the token allowance.
The signature structure typically looks like this:
Solidity
function permit(
address owner,
address spender,
uint256 value,
uint256 deadline,
uint8 v,
bytes32 r,
bytes32 s
) external;
Anatomy of the Exploit
In this specific XAUt incident, the attacker used a phishing site to trick the user into signing a permit message.
The Phishing Trap: The user was prompted to sign a transaction that appeared benign but was actually an off-chain signature granting full allowance to the attacker's address.
Signature Harvesting: Once the user signed, the attacker captured the v, r, s components.
Execution: The attacker called the permit function on the XAUt contract, setting the allowance for their own address to the maximum.
The Drain: With the allowance set, the attacker executed transferFrom to move the funds to these malicious addresses:
0xAfb2423F447D3e16931164C9970B9741aAb1723E
0x6eE62Ae8b3657AB1db5DE58e7410C0b77116a0B3
Developer Lessons: Mitigating Signature Risks
As Web3 developers, we have a responsibility to implement safeguards:
Verify Typed Data: When implementing frontend signing, ensure you are using eth_signTypedData_v4 to provide users with a readable breakdown of what they are signing.
Allowance Monitoring: Implement real-time security alerts. Tools like GoPlus Security can help detect if a user is interacting with known malicious "Permit" harvesters.
The "Rule of Four": Beyond code, we must educate users:
- Never click unknown links.
- Avoid unverified software.
- Verify every signature detail (Spender, Value, Deadline).
- Never transfer to unverified addresses.
Conclusion
The $92K XAUt theft is a stark reminder that even "gasless" features can be weaponized. As we build more seamless experiences, security must remain the primary layer.
Top comments (0)