For operations that cost Gas—transfers, approvals, and the like—many people instinctively pause and take a second look. Those are relatively easier to guard against.
But off-chain signatures don’t burn Gas. And most DApps require you to sign in to your wallet first so they can read your address, chain, and balance. Over time, many users develop a habit: “This action is safe.” That’s why Permit and Permit2 have become a breeding ground for phishing.
What Do Permit and Permit2 Actually Do?
In the standard ERC20 flow, you must first approve, then transferFrom. That costs two separate Gas payments. To simplify this and reduce cost, the chain-off signature-based standard EIP-2612 was introduced.
What is Permit?
In EIP-2612, the permit function lets users authorize spending via an off-chain signature.
So you don’t send an approve transaction yourself, and you don’t pay Gas. You only sign a structured message. A third party can then submit that signature on-chain to complete the approval.
What is Permit2?
Permit requires the token contract to implement a Permit function. Many mainstream tokens are still plain ERC20 and don’t support Permit. So Uniswap introduced Permit2.
The idea: the first time you use it, you give unlimited allowance to the Permit2 contract. After that, each swap only needs a signature. Once the signature is verified, the Permit2 contract performs transferFrom internally.
The Phishing Risk
Both Permit and Permit2 share the same core risk: signature leakage.
Because no Gas is paid, many users assume signing is harmless and don’t read what they’re signing. But the signature itself can be the approval. Phishing sites often don’t ask you to send a transfer; they prompt you to sign what looks like a normal “login” or “verify” request—which is actually permit or permit2 authorization data. Once you sign, they submit it on-chain to complete the approval, then use transferFrom to move your tokens.
Summary
Permit and Permit2 replace on-chain approve with off-chain signatures for better UX. The same mechanism can be abused by phishing sites—one “harmless” signature can be one approval leak. Break the habit of “signing = safe,” read what you can, don’t sign when unsure, and regularly scan approvals and revoke suspicious ones. Add address checks and phishing checks to your routine to avoid more pitfalls.