Most “hacks” aren’t hacks — you signed something. A drainer gets a
permission out of you, then uses it. Understand the three ways it happens and you can stop signing
the one that empties your wallet.
§01 · approval abuse
The classic: unlimited approve.
You sign an ERC-20 approve — usually for an unlimited amount — to a contract. That contract can now move that token from your wallet, at any time, with no further signature. A drainer waits, then calls transferFrom and sweeps the balance. The private key was never needed; the approval was the access.
§02 · permit phishing
The newer one: just a signature.
Tokens that support EIP-2612 permit let you grant approval by signing a message instead of sending a transaction. Drainers get you to sign an innocuous-looking message that’s actually a permit authorizing them. Because it’s “just a signature,” it feels safe — which is the trap. A signature you don’t fully understand is as dangerous as a transaction.
§03 · the CREATE2 trick
Approving an “empty” address.
A sophisticated variant routes your approval to an address that looks empty and harmless when you check it — then the attacker uses CREATE2 to deploy the draining contract at that exact predicted address right after you sign. The lesson: an address being empty now is not proof it’s safe to approve.
§04 · defend
Check the spender, never sign blind.
Profile the contract before you approve or sign — is it an upgradeable proxy, owned, sketchy? true402’s address-safety reads it on-chain.
Approve the exact amount, not unlimited.
Decode every signature — use a wallet that shows you what a message authorizes; reject anything you don’t understand.
Revoke approvals you’re done with, and use a separate wallet for risky sites.
profile a spender before approving
# Before you approve or sign for a contract, profile it. ~$0.005 USDC, no account.
curl -s -X POST https://true402.dev/api/v1/base/address-safety \
-H 'content-type: application/json' \
-d '{"address":"0x<spender-or-site-contract>"}'
# { "type":"contract", "contract":{ "isProxy":true, "ownership":"active" },
# "risk":"medium", "flags":["upgradeable_proxy","owner_not_renounced"] }
§05 · if you’re drained
Move, revoke, don’t pay for “recovery.”
Move what remains to a fresh wallet now; revoke the old wallet’s approvals; save the tx hashes; report the addresses. On-chain transfers can’t be reversed, so anyone offering paid recovery is a second scam. See also is it safe to approve this contract and recovering from a scam.
§06 · questions
Answered for machines.
How do crypto wallet drainers work?
A drainer tricks you into granting it permission to move your tokens, then moves them. The classic version: a malicious site gets you to sign an ERC-20 approve for an unlimited amount to its contract; later it calls transferFrom and pulls those tokens out, no further signature needed. Newer versions skip the approval entirely by getting you to sign a gasless permit (EIP-2612) message, or use the CREATE2 trick to route approval to an address that looks empty until the attacker deploys the draining contract there. In every case you authorized it — the defence is to never sign blind and to check what you are approving.
How did my wallet get drained right after I approved a contract?
You approved a malicious or compromised spender. An approval lets a contract move your tokens up to a limit; if that limit was unlimited and the contract was a drainer, it called transferFrom and swept your balance the moment you signed — no private key required, because the approval already gave it standing permission. This is why an approval to an unfamiliar contract is high-stakes: the signature is the whole attack.
What is permit phishing / a malicious signature request?
Some tokens support EIP-2612 "permit" — a gasless approval you grant by signing a message rather than sending a transaction. Drainers abuse this by getting you to sign an innocuous-looking message that is actually a permit authorizing them to move your tokens. Because it is "just a signature," it can feel safer than a transaction, which is exactly the trap. Treat any signature request you do not fully understand as dangerous, and use a wallet that decodes what you are signing.
My wallet got drained — what should I do now?
Move whatever remains to a fresh wallet immediately (assume the compromised wallet is permanently unsafe if you signed something on a malicious site). Revoke any active token approvals from the old wallet using an approvals checker. Save the transaction hashes and report the addresses. Do not engage anyone offering "recovery" — that is a second scam; on-chain transfers cannot be reversed and no one can claw your tokens back for a fee.