How do signatures work?
Crypto wallet signatures are approvals that can be given without network costs. They use the wallet’s private key to confirm that the owner of the wallet authorizes the transaction.
Remember: The owner of the wallet is whoever holds the recovery phrase. Keep your recovery phrase secure and never share it!
The Uniswap Permit2 contract allows for any token to be turned into a signature permit token, therefore allowing for an approval that can be given without network costs.
Permit2 signatures come with a much higher need for users to verify the data they sign. If a wallet has approved a token using Uniswap Permit2 contract, the only thing needed for any protocol to spend the tokens is a signature. From this signature, tokens could be transferred from your wallet using another wallet to pay the network costs, or giving a contract the ability to manage the tokens in a wallet, among other actions.
Signatures are easy to click through in a wallet, since you will not see a transaction cost and only need to select “Sign” for the signature to be complete. Functionally, all you are doing is clicking “OK” when you sign an approval.
Once a signature is complete, it lives offchain until a wallet broadcasts this signature in a transaction. This can be broadcast at any time, so you may not notice any action at the time you sign.
What does a signature look like?
The signature approval has all the details of the address that can spend your tokens. Some wallets will break this down so a user can understand it without knowing the code, and some will only show the raw data.
Here is what a signature looks like in the Uniswap Wallet:
You can see:
- The owner of the tokens
- The protocol that can spend the token
- The address of the token that can be spent
- The amount of tokens they can spend (limited by the onchain approval limit)
- The amount of time the approval is good for (displayed as a Unix timestamp)
Note that the official Uniswap app protocol will always be from https://app.uniswap.org/ or our current Permit2 contract if the wallet shows the contract address.
What are you approving?
Connect: Connecting your wallet means that you are allowing a connection between the website and your wallet. This only allows the website to read your wallet data and send transactions or approvals to your wallet, which you can choose to sign or not.
Sign, Approve, and Confirm: When you see these options in a wallet, proceed with caution and verify what you are being asked to sign or approve. This could be a malicious approval or a bad ERC-20 approval transaction. Knowing what you approve and the data that you sign is important.
Remember, once you sign the data or send a transaction that is accepted by the blockchain, there is no way to reverse this action.
Protecting yourself from signature scams
When visiting any web3 website, it is important to use caution and not to rush through signing or connecting to sites. The crypto ecosystem has seen a large increase in signature phishing websites. These are websites that mimic other websites or lure a user in with false hopes of airdrops, fake swaps, or fake migration tools. Always verify the data requested by a signature and verify that the protocol address is the official link.