Standards

Permit Signature

A permit signature authorizes an on-chain action through signed data instead of a direct transaction from the signer.

A permit signature lets someone submit a user's signed approval on-chain.

Permit Signature Explained in Detail

A permit signature authorizes a contract action with off-chain signed data. In ERC20 tokens, EIP-2612 uses permit to set allowance without an on-chain approve transaction from the owner.

Anyone can submit a valid permit. The security comes from the signed fields and validation rules, not from who relays it.

Smart contract example

permit(owner, spender, value, deadline, v, r, s);

The signature should bind owner, spender, value, nonce, deadline, chain, and verifying contract.

Permit Signature in Auditing

Permit flows move authorization off-chain. If nonce, deadline, domain separator, or signature checks are wrong, attackers may replay approvals or redirect them.

Auditors review permit as both token logic and signature logic.

Red flags in code

  • No nonce or nonce is consumed at the wrong time.

  • Expired permits are accepted.

  • Chain ID or verifying contract is missing from the signed domain.

  • Raw ecrecover accepts zero address or malleable signatures.

  • The product promises contract-wallet support but only EOA signatures are accepted.

How to test or review it

  • Submit the same permit twice and expect the second call to fail.

  • Mutate signer, spender, value, nonce, deadline, chain, and domain.

  • Test expired signatures and invalid signature formats.

  • Test permit plus action flows when another relayer front-runs the permit.

  • Check whether contract signatures are required for the product's wallet model.

ERC20 Permit

ERC20 permit lets a token owner approve an ERC20 allowance with a signature instead of sending an on-chain approve transaction.

EIP-2612

EIP-2612 is the ERC20 permit standard that defines signature-based allowance approvals through permit, nonces, and DOMAIN_SEPARATOR.

Domain Separator

A domain separator is the EIP-712 value that binds signed data to a specific app, version, chain, and verifying contract.

Practice this in real audit scenarios

Definitions help, but auditors need reps. SCH turns concepts like Permit Signature into exploit labs, code review habits, and report-writing practice.

Start the free trial or see the full smart contract auditing course.

Sources