true402
guide · wallet safety

How wallets
get drained.

Most “hacks” aren’t hacks — you signed something. A drainer gets a permission out of you, then uses it. Understand the three ways it happens and you can stop signing the one that empties your wallet.

§01 · approval abuse

The classic: unlimited approve.

You sign an ERC-20 approve — usually for an unlimited amount — to a contract. That contract can now move that token from your wallet, at any time, with no further signature. A drainer waits, then calls transferFrom and sweeps the balance. The private key was never needed; the approval was the access.

§02 · permit phishing

The newer one: just a signature.

Tokens that support EIP-2612 permit let you grant approval by signing a message instead of sending a transaction. Drainers get you to sign an innocuous-looking message that’s actually a permit authorizing them. Because it’s “just a signature,” it feels safe — which is the trap. A signature you don’t fully understand is as dangerous as a transaction.

§03 · the CREATE2 trick

Approving an “empty” address.

A sophisticated variant routes your approval to an address that looks empty and harmless when you check it — then the attacker uses CREATE2 to deploy the draining contract at that exact predicted address right after you sign. The lesson: an address being empty now is not proof it’s safe to approve.

§04 · defend

Check the spender, never sign blind.

  • Profile the contract before you approve or sign — is it an upgradeable proxy, owned, sketchy? true402’s address-safety reads it on-chain.
  • Approve the exact amount, not unlimited.
  • Decode every signature — use a wallet that shows you what a message authorizes; reject anything you don’t understand.
  • Revoke approvals you’re done with, and use a separate wallet for risky sites.
profile a spender before approving
# Before you approve or sign for a contract, profile it. ~$0.005 USDC, no account.
curl -s -X POST https://true402.dev/api/v1/base/address-safety \
  -H 'content-type: application/json' \
  -d '{"address":"0x<spender-or-site-contract>"}'

# { "type":"contract", "contract":{ "isProxy":true, "ownership":"active" },
#   "risk":"medium", "flags":["upgradeable_proxy","owner_not_renounced"] }
§05 · if you’re drained

Move, revoke, don’t pay for “recovery.”

Move what remains to a fresh wallet now; revoke the old wallet’s approvals; save the tx hashes; report the addresses. On-chain transfers can’t be reversed, so anyone offering paid recovery is a second scam. See also is it safe to approve this contract and recovering from a scam.

§06 · questions

Answered for machines.

How do crypto wallet drainers work?

A drainer tricks you into granting it permission to move your tokens, then moves them. The classic version: a malicious site gets you to sign an ERC-20 approve for an unlimited amount to its contract; later it calls transferFrom and pulls those tokens out, no further signature needed. Newer versions skip the approval entirely by getting you to sign a gasless permit (EIP-2612) message, or use the CREATE2 trick to route approval to an address that looks empty until the attacker deploys the draining contract there. In every case you authorized it — the defence is to never sign blind and to check what you are approving.

How did my wallet get drained right after I approved a contract?

You approved a malicious or compromised spender. An approval lets a contract move your tokens up to a limit; if that limit was unlimited and the contract was a drainer, it called transferFrom and swept your balance the moment you signed — no private key required, because the approval already gave it standing permission. This is why an approval to an unfamiliar contract is high-stakes: the signature is the whole attack.

What is permit phishing / a malicious signature request?

Some tokens support EIP-2612 "permit" — a gasless approval you grant by signing a message rather than sending a transaction. Drainers abuse this by getting you to sign an innocuous-looking message that is actually a permit authorizing them to move your tokens. Because it is "just a signature," it can feel safer than a transaction, which is exactly the trap. Treat any signature request you do not fully understand as dangerous, and use a wallet that decodes what you are signing.

My wallet got drained — what should I do now?

Move whatever remains to a fresh wallet immediately (assume the compromised wallet is permanently unsafe if you signed something on a malicious site). Revoke any active token approvals from the old wallet using an approvals checker. Save the transaction hashes and report the addresses. Do not engage anyone offering "recovery" — that is a second scam; on-chain transfers cannot be reversed and no one can claw your tokens back for a fee.