What starting position does this attack require?

The first step is transferFrom the approved tokens (T1041) — a exfiltration primitive. Assumed environment: target dApp uses permit-style off-chain signatures.

What is the final impact of this kill-chain?

The final step lands on Capture victim signature (mempool / off-chain) (W3-SIG-REPLAY), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 4 steps · 3 edges

Approved

Signature replay across chains → token drain

EIP-2612 permit() signed without chainId / domain separator binding. Capture the off-chain signature on one chain and replay it on another to drain ERC-20 approvals.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Exfiltration

transferFrom the approved tokens

T1041 · Exfiltration Over C2 Channel

Reconnaissance

Find permit() endpoint without chainId binding

W-RECON-API-DISCO · API Endpoint Discovery

Credential Access

Submit same signature on other chain

W3-SIG-REPLAY · Signature Replay

Credential Access

Capture victim signature (mempool / off-chain)

W3-SIG-REPLAY · Signature Replay

§ Context

Assumed environment: target dApp uses permit-style off-chain signatures. The signing structure omits chainId or verifyingContract — a multi-chain deployment shares the same approvals.

§ Steps

01
transferFrom the approved tokensExfiltration
T1041— Exfiltration Over C2 Channel
02
Find permit() endpoint without chainId bindingReconnaissance
W-RECON-API-DISCO— API Endpoint Discovery
03
Submit same signature on other chainCredential Access
W3-SIG-REPLAY— Signature Replay
04
Capture victim signature (mempool / off-chain)Credential Access
W3-SIG-REPLAY— Signature Replay

§ References

T1041Exfiltration Over C2 Channel

§ Frequently asked

What is the "Signature replay across chains → token drain" attack path?: EIP-2612 permit() signed without chainId / domain separator binding. Capture the off-chain signature on one chain and replay it on another to drain ERC-20 approvals. It chains 4 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is transferFrom the approved tokens (T1041) — a exfiltration primitive. Assumed environment: target dApp uses permit-style off-chain signatures.
What is the final impact of this kill-chain?: The final step lands on Capture victim signature (mempool / off-chain) (W3-SIG-REPLAY), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Signature replay across chains → token drain

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Open MongoDB → dump every collection

JWT RS256 → HS256 algorithm confusion → admin

GraphQL introspection → BOLA → mass enum

Single-packet race → coupon stacking

NoSQL injection → auth bypass → admin