In the Web3 world, "signing" is a fundamental way you interact with DApps. Logging into DApps, claiming airdrops, and trading NFTs all require signatures. But not all signing requests are safe — malicious signatures have become one of the primary methods of crypto asset theft in 2024-2025. A single careless confirmation could result in all your assets being drained within seconds.
What Types of Wallet Signatures Exist?
Understanding the risk levels of different signature types is the foundation of prevention:
1. personal_sign (Personal Signature)
- Use: DApp login verification, message signing
- Risk: Generally low, doesn't directly involve asset operations
- Example: The "Sign in" request when logging into OpenSea
2. eth_signTypedData (Typed Data Signature)
- Use: Off-chain authorization, order signing
- Risk: Medium to high, can be used for Permit authorization and NFT listings
- Example: Uniswap's Permit2 signature, OpenSea's NFT listing signature
3. eth_sign (Raw Data Signature)
- Use: Signing arbitrary data
- Risk: Extremely high, known as "blind signing" — can sign any transaction
- Example: Legitimate use is extremely rare; almost always malicious
4. eth_sendTransaction (Transaction Signature)
- Use: Sending on-chain transactions
- Risk: Depends on the transaction content — could be a transfer, approval, or contract call
- Example: Token transfers, DApp contract interactions
How Do Malicious Signatures Steal Assets?
Here are the most common malicious signature attack methods:
Permit Signature Attack
The EIP-2612 standard allows off-chain signatures to authorize token transfers without consuming gas. After tricking you into signing a Permit, the attacker can submit the signature on-chain to transfer your tokens. Since signing is off-chain, you won't see a gas fee prompt, making it easy to let your guard down.
Seaport Signature Attack
OpenSea's Seaport protocol allows creating NFT listings through signatures. An attacker can craft a signing request to sell all your NFTs at an absurdly low price (e.g., 0.0001 ETH). If you confirm without carefully reviewing the signature contents, your NFTs will be bought by the attacker at a fraction of their value.
eth_sign Blind Signing Attack
This is the most dangerous signature type. The signed content is raw hexadecimal data that you simply cannot read. An attacker can have you sign a transaction that transfers all your assets.
setApprovalForAll Signature Attack
Targeting NFTs, the attacker tricks you into signing full NFT approval to a contract, then transfers all your NFTs.
How to Identify Malicious Signing Requests?
Check the signature type: If the MetaMask popup shows an eth_sign type, reject it immediately unless you are 100% certain of what you're doing. MetaMask has disabled eth_sign by default — if a DApp asks you to enable it, that's a strong danger signal.
Read the signature content: Carefully read all information in the signing popup. If you see keywords like Permit, approval, or setApprovalForAll, confirm whether this is your intended action.
Verify the request source: Confirm the signing request comes from the legitimate DApp you're using, not a mystery popup window.
Check amounts and targets: If the signature involves token operations, verify the amounts and target addresses are reasonable.
Use transaction simulation tools: Browser plugins like Pocket Universe, Fire, and Blowfish can simulate results before you sign, telling you what consequences the signature will have.
What Scenarios Commonly Involve Malicious Signatures?
- Fake airdrop claim pages: Claiming you have an airdrop that requires "signature verification" to collect
- Fake NFT mint pages: Copycat mint pages of popular projects
- Discord/Twitter phishing links: Malicious links posted after official channels are compromised
- Fake DApp frontends: Counterfeit websites of well-known DeFi protocols
- Social engineering attacks: Fake support agents asking you to "sign to verify your wallet"
Safety Tips
Preventing malicious signatures requires high vigilance and good operational habits:
- Read every signing request carefully: Don't blindly click confirm — take a few seconds to understand the content
- Install transaction simulation plugins: Tools like Pocket Universe can warn you of risks before signing
- Keep MetaMask's eth_sign disabled: Don't let any DApp convince you to enable it
- Access DApps through official channels: Use bookmarks, don't click links from social media
- Use a separate wallet for experiments: Use a small-balance independent wallet for high-risk operations
- When in doubt, reject: If you're unsure what a signature does, clicking reject costs you nothing
Keeping large assets in a secure environment is a basic safety strategy. Register on Binance to use the platform's multi-layer security protection, or download the Binance App (iOS users refer to the iOS installation guide) for convenient management.
What's the difference between a signature and a transaction?
A signature cryptographically signs data off-chain using your private key without consuming gas. A transaction is an on-chain operation that requires gas. However, the result of a signature can be used to execute transactions on-chain (like Permit signatures), so both deserve equal security attention.
Can I revoke a malicious signature after signing?
For on-chain transaction signatures, once the transaction is confirmed it cannot be reversed. For off-chain signatures like Permit, if the attacker hasn't used the signature on-chain yet, you can issue a new Permit signature (setting authorization to 0) to invalidate the old one. But the time window is usually very short.
Can hardware wallets prevent malicious signatures?
Hardware wallets display signing content on the device screen, requiring physical confirmation. This adds an extra layer of protection over software wallets, but if you confirm without reading carefully, the hardware wallet can't protect you either. Understanding the signing content is still key.
Which browser plugins help detect malicious signatures?
Recommended plugins include Pocket Universe, Fire, ScamSniffer, and Blowfish Protect. They automatically analyze signing content before you sign and display warnings if risks are detected. However, don't rely entirely on these tools — stay vigilant yourself.