Permit Phishing is a Nightmare. Here’s How OneKey Plans to Stop It.
Key Takeaways
• Permit phishing now causes most ERC-20 token losses in phishing scams across EVM chains.
• “Blind signing” makes these scams possible — users can’t see what they’re approving.
• OneKey App and Pro wallet now detect Permit-type risks and issue warnings before signing.
• ABI decoding is being rolled out to reveal contract intent and token changes in human-readable form.
• Hardware wallet updates will bring embedded ABIs and dynamic QR verification for full transparency.
• OneKey is also building emergency revoke systems and partnering with BlockAid, ScamSniffer, and GoPlus for proactive threat alerts.
This is a quiet war.
One we can’t afford to lose.
At first, the idea behind “Permit” was good. It was meant to make things easier, but now it’s become one of the biggest security nightmares on the blockchain.
ScamSniffer (@realScamSniffer ) has shown the harsh reality. In multiple networks, 90% of assets lost to phishing are ERC-20 tokens. And the main culprit? Permit or Permit2 phishing signatures.
And it’s not a joke — most of the major phishing cases you’ve heard of this year are by Permit phishing.
Back in the early days of Ethereum, things were expensive.
Every time you interacted with a new contract, you had to pay gas to approve tokens. Swapping or buying NFTs? That meant two transactions, each with its own cost.
But now, Permit is everywhere in DeFi. Instead of needing multiple approvals, you authorize tokens to a “middleman” contract (Permit/Permit2) just once.
After that, whenever the contract needs access to your tokens, you only have to give a signature. Saves you gas. Saves you time.
The bad news? Fake sites, fake airdrops, and sketchy meme coins are everywhere, waiting for you to drop in. The moment you open one of these sites, it’ll prompt you to “sign in” — that’s when they trick you into giving up your Permit signature.
If you’re using a wallet that doesn’t warn you or you’re not locking in enough, you’re handing over token permissions in one careless click.
Once the hacker has that signature, they can drain your assets at any time. And most of the time, you won’t even realize that little signature was the key.
Staking tokens get hit especially hard. One successful phishing attack can wipe out accounts on a massive scale.
And all of this? It could be avoided if users had the right information and warnings.
Blind Signing: The Real Problem
The heart of the problem is “blind signing.” Permit phishing is just one part of it.
“Blind signing” means that when you sign to interact with a smart contract, all you see is a mess of code, not a clear rundown of what you’re agreeing to — no mention of transaction amount, recipient address, or which contract is calling what method.
When you sign in this kind of situation, you’re basically going in blind, which is how scammers take advantage.
To make sense of this, you need a “dictionary,” and that dictionary is the ABI (Application Binary Interface). It’s what tells wallets how to interpret contract data and pick out key details.
Hardware wallets do offer protection; they can keep your private keys safe even if your PC/Phone is compromised. But their limitations — like performance or being offline — make it harder to decode blind signing issues.
How OneKey Is Tackling This
Blind signing is a problem we’re committed to solving.
(1) What We’ve Already Done
We’re going after the biggest threat right now — “Permit phishing,” which is how most hackers are stealing assets.
Hackers use methods like Permit/PermitBatch/PermitBatchTransferFrom/PermitSingle/PermitTransferFrom, and these need to be flagged.
OneKey’s App software wallet and OneKey Pro hardware wallet now support Permit-type risk alerts on Ethereum and EVM Layer 2s.
If you’re about to sign something related to Permit, we’ll give you a bold warning before you confirm. Classic 1s support is coming soon.
This should help prevent users from thinking it’s just a regular login signature and accidentally authorizing something they shouldn’t.
Also, we now let you set “approve only what’s needed” when first authorizing tokens for Permit/Permit2 contracts.
(2) What’s Next for the App
By the end of November, the App will start rolling out ABI parsing for signed transaction data in phases.
Getting every possible signature parsed is a huge task. There’s an Ethereum signature database (4byte.[delete]directory) with over 1.35 million different signatures.
We’ve analyzed the last million Ethereum transactions and narrowed down the top 1,000 contract methods. We’re gathering ABIs to try to cover as much as possible and aim for 100% compatibility. This will also include various EVM Layer 2s.
Permit-type transactions are our first priority because of their high risk; after that, we’ll expand further.
Whether you’re using a hardware wallet or just the software wallet, you’ll be able to read transaction purpose and any asset changes, like transfer or approval amounts, directly in the App.
Additionally, the OneKey App will add two other checks: First, verifying if you’ve interacted with a contract address before to confirm it’s trusted. Second, contract risk monitoring, thanks to partnerships with BlockAid, ScamSniffer, and GoPlus. Even with trusted contracts, if there’s a security risk, you’ll be warned before interacting.
(3) What’s Next for the Hardware Wallet
With all the groundwork we’ve laid, we’re moving towards local parsing on the hardware wallet. You’ll be able to double-check transactions both in the App and directly on the wallet itself.
We’re embedding ABIs into the hardware wallet, keeping them updated for new contracts.
Just like the App, phishing-prone Permit-type signatures will be a high priority for parsing on the hardware wallet.
If a transaction can’t be parsed, we’ll issue a warning and let users restrict these transactions.
And for projects that rely on high-stakes Permit authorizations (especially staking projects), we recommend securing multi-signature permissions and adding a time-lock feature so users have time to react if they get phished.
Ledger is a pioneer in this, launching their “Clear Signing” initiative on GitHub, where third-party ABI files are verified and updated in the firmware for better transaction clarity.
(4) The Road Ahead
a. Enhanced Hardware Wallet Display with Third-Party Parsing
For high-security users who want additional verification, we’ll add a dynamic QR code display on the hardware wallet.
The QR code will encode the full signing data, which users can scan with an external app to verify before signing on the hardware wallet.
b. Batch Authorization Revoking & Real-Time Monitoring
When a contract’s security is compromised, hackers need time to carry out Permit transfers. Many users still have time to revoke authorizations to protect assets. Ideally, users should revoke authorizations regularly.
We’re working on emergency alerts for high-risk contracts and notifications for users to revoke permissions in bulk. Due to resource demands, this service might be subscription-based for power users.
——
Security isn’t a one-time thing; it’s an ongoing battle. And we’re all in.
Let’s keep moving forward together.
