Why Are EIP-2612 Permit Signatures So Dangerous?

Short answer

Permit (EIP-2612) and Permit2 signatures are the leading vector for crypto theft in 2025-2026. The danger: a Permit signature looks like a meaningless string in your wallet UI, but signing it grants the attacker permission to transfer up to a specified amount of a specific token from your wallet, indefinitely or until a deadline. The attacker doesn't need you to send funds — they have permission to take them. Permit2 makes this worse by enabling cross-token, multi-asset approval in a single signature.

The technical mechanism

Standard ERC-20 approval requires an on-chain transaction (visible to you, costs gas). EIP-2612 introduced "Permit" as a gas-saving alternative: instead of an on-chain transaction, the user signs a typed data message (EIP-712) authorizing a spender. The signature is valid on-chain — anyone holding it can submit to the token contract and the contract recognizes the authorization.

From the user's perspective: a popup appears asking you to sign a structured message with fields like "owner: 0xYOU, spender: 0xATTACKER, value: max, deadline: 2099." If you sign, the attacker now holds proof that you authorized them to transfer up to "max" of that token. They can submit the proof on-chain at any moment before the deadline.

Permit2 makes it worse

Uniswap launched Permit2 in late 2022 as a unified approval contract. Permit2 signatures can authorize multiple tokens at once, with granular per-token amounts. A single Permit2 signature can grant access to your USDC, USDT, WETH, stETH, and more — across many tokens at once.

Permit2 also adds batched transfer capability, so the attacker can drain multiple assets in one Permit2 execution rather than one transaction per token.

Why this is hard to detect

The signature popup looks like:

Sign typed data?
Type: Permit
Owner: 0xYourAddress
Spender: 0x... (a long hex string)
Value: 115792089237316195423570985008687907853269984665640564039457584007913129639935
Deadline: 99999999999

To a non-expert user, this is unreadable. The huge value is actually 2^256-1 — unlimited. The huge deadline is effectively "never expires." Yet many wallets display this as just "Confirm signature?" without explaining the consequences.

What modern wallets do

Rabby Wallet displays Permit signatures with human-readable summaries: "You are authorizing 0xSpender to transfer unlimited USDC from your wallet, with no expiration. WARNING: This is the same as giving them direct access to your USDC balance." Pre-2024 MetaMask did not; post-2024 MetaMask added similar warnings.

Hardware wallets (Trezor Safe 3+, Ledger with updated firmware) display the parsed Permit fields on-device, requiring physical confirmation.

The defense

Three rules:

Never sign a Permit unless you're using a known dApp that requires it (Uniswap, 1inch with Permit2-enabled mode). If a random "airdrop claim" or "wallet verification" page prompts a Permit signature, refuse.

Read the spender address. It should be the dApp's contract (visible in Etherscan as verified), not a random wallet address.

Run revoke.cash quarterly and revoke Permit2 allowances you don't recognize.

Further reading: EIP-2612 Permit, Phishing.