Phishing Attack

A phishing attack in Web3 is a social engineering technique where an attacker deceives a user into performing an action that benefits the attacker — typically signing a transaction, approving a token transfer, or interacting with a malicious contract. Unlike traditional phishing that steals credentials, Web3 phishing often exploits the irreversible nature of blockchain transactions: once a user signs, there is no undo.

How Phishing Works in Web3

Web3 phishing typically follows this pattern:

1. Bait: The attacker creates a convincing lure — a fake dApp, a cloned website, a malicious airdrop link, or a social media message
2. Hook: The victim connects their wallet and is prompted to sign a transaction or message
3. Exploit: The signed transaction executes a malicious action (draining funds, granting unlimited token approvals, or calling a vulnerable contract function)

Common Web3 Phishing Vectors

Malicious Contract Interaction

Attackers trick users into calling functions on malicious contracts. When combined with tx.origin checks in the victim's contracts, the attacker's contract can impersonate the victim:

1// Victim's wallet uses tx.origin (vulnerable)
2require(tx.origin == owner, "Not owner");
3
4// Attacker tricks owner into calling their contract
5// tx.origin == owner passes, funds are drained

Fake Token Approvals

A phishing site prompts users to sign an approve transaction granting unlimited spending rights to the attacker's address:

1// User thinks they're approving a legitimate dApp
2token.approve(attackerAddress, type(uint256).max);

Signature Phishing (Permit / EIP-712)

Attackers ask users to sign off-chain messages that can be replayed on-chain:

1// Off-chain signature that grants token approval
2permit(owner, spender, value, deadline, v, r, s);

Blind Signing

Users sign transactions without understanding the payload, especially on hardware wallets that cannot display full transaction details.

Prevention Measures

1. Use msg.sender instead of tx.origin for authorization checks in smart contracts
2. Verify contract addresses before interacting with any dApp
3. Review transaction details carefully before signing — never blind sign
4. Use transaction simulation tools (like Tenderly or wallet-native simulators) to preview outcomes
5. Limit token approvals to the exact amount needed, not unlimited
6. Revoke unused approvals regularly using tools like Revoke.cash
7. Be skeptical of unsolicited links, airdrops, and urgent messages

Impact

Phishing remains one of the most effective attack vectors in Web3. Unlike smart contract exploits that require deep technical knowledge, phishing attacks exploit human psychology and can target any wallet holder regardless of technical sophistication.