Wallet Signature Security
Understanding what you're signing and how malicious signature requests can drain your wallet
Types of Wallet Signatures
Not all signature requests are equal. Understanding the difference can protect you from attacks.
Message Signatures: Simple messages that prove you own a wallet. Generally safe but can be used for phishing.
Transaction Signatures: Authorize on-chain actions like transfers or contract interactions. More dangerous as they can move assets.
Permit Signatures: Gasless approvals that let contracts spend your tokens. Dangerous because they don't require gas and look innocuous.
Typed Data Signatures: Structured data signatures used by many DeFi protocols. Can be dangerous if you don't understand the data structure.
Malicious Signature Requests
Permit Phishing: Attackers ask you to sign a "message" that's actually a permit giving them access to your tokens.
Blind Signing: Some dApps show raw transaction data that's unreadable. Never sign what you can't understand.
Multi-Action Bundles: A single signature might authorize multiple actions, some of which drain your wallet.
Replay Attacks: Signatures without proper nonces can be reused to drain you multiple times.
Safe Signing Practices
1. Read everything before signing, especially the function being called 2. Use wallets with human-readable transaction parsing 3. Never sign raw hex data you can't interpret 4. Be extra careful with permit and approval requests 5. Check the requesting domain matches where you think you are 6. Use hardware wallets for large holdings—they show transaction details on-device