One trader is out roughly $1 million after falling victim to a phishing attack that weaponized Uniswap’s Permit2 feature. The attack didn’t require a protocol hack or a zero-day exploit. The trader simply signed something they shouldn’t have.

How a single signature drains a wallet

Permit2 is a token approval contract introduced by Uniswap to streamline how users grant spending permissions across decentralized apps. Instead of approving each token interaction separately, Permit2 lets you sign a single off-chain message that covers multiple tokens at once.

In this attack, the trader was tricked into signing a Permit2 message that handed a malicious contract the keys to their wallet. No second prompt, no confirmation screen, no warning. The funds left quietly.

A separate incident saw a holder of the $VIRTUAL token lose around $196,000 through the same category of attack. Different wallet, different token, same mechanic: one bad signature, total loss.