EIP-712 Signing
What is EIP-712 Signing?
EIP-712 SigningAn Ethereum standard for typed, structured off-chain message signing that lets wallets display human-readable intent (e.g. 'sell 1 ETH to user X by Friday') and bind the signature to a domain, chain, and contract.
EIP-712 (Ethereum typed structured data hashing and signing), authored by Remco Bloemen, Leonid Logvinov, and Jacob Evans in 2018, is the standard underlying virtually all modern off-chain signing flows on Ethereum and EVM L2s. Before EIP-712, signing a message meant calling `eth_sign` on a 32-byte opaque hash that a wallet had no way to render — a UX and security disaster. EIP-712 introduces structured types (`bytes32 typeHash`), domain separators that bind the signature to a chain ID, verifying contract, and version, and a JSON-RPC method (`eth_signTypedData_v4`) that lets wallets display field-by-field what is being signed. Use cases include Permit and Permit2 ERC-20 approvals (no on-chain transaction needed), OpenSea / Blur listings, gasless meta-transactions, ERC-4337 UserOperations, off-chain governance votes (Snapshot), and most Web3 game-economy signatures. From a security perspective EIP-712 enables but does not guarantee user comprehension: phishing kits routinely craft EIP-712 payloads that look like a benign 'login' but actually authorize unlimited token spend — the same pattern Inferno Drainer and successors abuse. Wallets that warn on known-dangerous EIP-712 patterns (Wallet Guard, ScamSniffer, Rabby) are the practical defense.
● Examples
- 01
A user signs an EIP-712 'Permit' message that their wallet displays as 'Approve unlimited USDC to 0x… on Ethereum Mainnet'; with a clear display, they can refuse.
- 02
A phishing dApp asks for an EIP-712 signature labeled 'Login to MyDAO'; a security extension warns the user the underlying type is actually `setApprovalForAll`.
● Frequently asked questions
What is EIP-712 Signing?
An Ethereum standard for typed, structured off-chain message signing that lets wallets display human-readable intent (e.g. 'sell 1 ETH to user X by Friday') and bind the signature to a domain, chain, and contract. It belongs to the Web3 & Blockchain category of cybersecurity.
What does EIP-712 Signing mean?
An Ethereum standard for typed, structured off-chain message signing that lets wallets display human-readable intent (e.g. 'sell 1 ETH to user X by Friday') and bind the signature to a domain, chain, and contract.
How does EIP-712 Signing work?
EIP-712 (Ethereum typed structured data hashing and signing), authored by Remco Bloemen, Leonid Logvinov, and Jacob Evans in 2018, is the standard underlying virtually all modern off-chain signing flows on Ethereum and EVM L2s. Before EIP-712, signing a message meant calling `eth_sign` on a 32-byte opaque hash that a wallet had no way to render — a UX and security disaster. EIP-712 introduces structured types (`bytes32 typeHash`), domain separators that bind the signature to a chain ID, verifying contract, and version, and a JSON-RPC method (`eth_signTypedData_v4`) that lets wallets display field-by-field what is being signed. Use cases include Permit and Permit2 ERC-20 approvals (no on-chain transaction needed), OpenSea / Blur listings, gasless meta-transactions, ERC-4337 UserOperations, off-chain governance votes (Snapshot), and most Web3 game-economy signatures. From a security perspective EIP-712 enables but does not guarantee user comprehension: phishing kits routinely craft EIP-712 payloads that look like a benign 'login' but actually authorize unlimited token spend — the same pattern Inferno Drainer and successors abuse. Wallets that warn on known-dangerous EIP-712 patterns (Wallet Guard, ScamSniffer, Rabby) are the practical defense.
How do you defend against EIP-712 Signing?
Defences for EIP-712 Signing typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for EIP-712 Signing?
Common alternative names include: EIP-712, Typed structured data signing.
● Related terms
- web3№ 1155
Signature Phishing (Web3)
A Web3 phishing pattern that tricks a user into signing an EIP-712 or `personal_sign` message that authorizes the attacker to move tokens, transfer NFTs, or take wallet actions — without ever asking for a seed phrase.
- web3№ 912
Permit2 Phishing
Permit2 phishing tricks an Ethereum user into signing a Uniswap Permit2 off-chain message that grants an attacker the right to transfer the victim's ERC-20 tokens.
- web3№ 1348
Wallet Drainer
Malicious software or a phishing kit that tricks crypto-wallet users into signing transactions or approvals that hand over all valuable tokens and NFTs.
- web3№ 1171
Smart Contract Security
The practice of designing, reviewing, and operating on-chain programs so they cannot be exploited to steal funds, freeze logic, or violate intended business rules.
- web3№ 590
Inferno Drainer
A 2022–2023 crypto-wallet-drainer-as-a-service that emptied tens of thousands of victims' wallets by phishing them into signing token-approval transactions on fake mint and airdrop sites, before shutting down in November 2023.
- web3№ 008
Account Abstraction (ERC-4337)
An Ethereum standard that replaces externally-owned accounts with smart-contract wallets able to express arbitrary signing logic — social recovery, session keys, sponsored gas, multi-factor approval — without Layer 1 protocol changes.
● See also
- № 1349WalletConnect Security