As DeFi Streamlines, Web3 Wallets Must Display a Human-Readable Format to Safeguard Users
The bear season has been digging its claws in deeply over the past few months. As this season extends, so too do the austerity measures that protocols and users implement to reduce unnecessary expenses, particularly gas fees and potential losses due to Maximal Extractable Value (MEV).
One benefit of constraints is that they typically surface novel ideas, and one such idea that DeFi protocols have been employing over the past several months is “gasless transactions” invoked through signatures. Enabled by EIP-2612, this method of initiating transactions for ERC-20 tokens introduces numerous quality-of-life enhancements for users and protocols:
Protocols can pay the gas fee for your final transaction, as well as handle failed transactions, which is where the term “gasless transaction” originates (the final transaction is not free nor “gasless”; the entity that sends the transaction — rather than the end user — must still pay gas with a native token).
Token approvals expire after a certain period of time, rather than the natural default of allowing an unlimited amount of the token to be spent forever, as is the case today.
The need for two transactions — one to approve the spending of a token and one to make the actual trade — can now be reduced to one transaction.
Users can pay their gas fees using the ERC-20 token they are selling, instead of always having to use the chain’s native token, such as ETH or MATIC.
As the DeFi protocol you’re interacting with is responsible for sending the transaction, they may incorporate methods to mitigate MEV that users might not have themselves.
According to the author of EIP-2612:
The ability for users to interact with Ethereum without holding any ETH has been a long outstanding goal and the subject of many EIPs.
But, as with any new or upgraded technology, we usually lag behind in getting the most out of these new opportunities. Signatures, in particular, have been poorly displayed in wallet clients for some time, even as the ecosystem has made heavier use of them to improve the web3 user experience, such as using Sign-In with Ethereum.
As more protocols adopt gasless signatures, it’s crucial that wallet clients display signature requests and the messages they contain in a straightforward, human-readable format. Until this occurs, the user experience will always trail behind the amazing technology users actually have access to. These issues have also become vulnerabilities that are exploited by fraudsters.
Concerns Over Gasless Signatures
Protocols that have incorporated gasless signatures have made efforts to help their users understand how these new forms of transactions operate. However, signatures are still poorly displayed in the wallet clients that are used to initiate trades. This raises numerous concerns:
Wallet clients still present signature contents in a purely textual form, which is a chore to read and verify, especially for non-developers (this is the primary issue leading to phishing attacks that successfully steal tokens via signed messages).
They do not record and display a history of signature activity; therefore, users have no record of when they attempted to initiate gasless signatures or what signatures could potentially be used in subsequent transactions.
As the protocol builds and sends the final transaction, wallet clients may not display all steps in the user’s transaction history (though block explorers like Etherscan will display these).
Transaction simulator extensions may not adequately display what will transpire after a gasless transaction has been executed, as it is another entity that constructs and sends the final transaction (will more of your approved tokens go to fees than you expected?).
These issues can lead not only to confusion for users but ultimately a loss of assets, should they be tricked into signing a malicious transaction that they cannot understand or that they believe is legitimate. This is what allegedly happened to Kevin Rose when he lost several high-value NFTs to a phishing scam earlier this year.
Improved UX Is Needed for Gasless Transactions
DeFi trades conducted via these new gasless signatures can offer more ways to onboard new users and enhance the experience for existing users. However, to fully capitalize on this new paradigm, signatures need to be treated as first-class citizens in wallet clients, not just as a large block of textual data. Imagine your wallet provider going the extra UX mile to provide details about the contract you are interacting with, the token you are transferring, and the gas fee in a format that makes sense no matter your level of experience.
DeFi users should remain vigilant. Until there are improvements to the gasless signature UX, it will be an opportunity for fraudsters to enhance their phishing toolbox.
A version of this article initially appeared in BanklessDAO’s DeFi Download newsletter on June 18, 2023.
d0wnlore is a writer and educator at Bankless DAO’s InfoSec Team. He is a longtime crypto enthusiast who enjoys helping others through his interests in security, user experience design, and global mobility.
Editor and Designer Bio
Trewkat is a writer, editor, and designer at BanklessDAO. She’s interested in learning about crypto and NFTs, with a particular focus on how best to communicate this knowledge to others.
BanklessDAO is an education and media engine dedicated to helping individuals achieve financial independence.
This post does not contain financial advice, only educational information. By reading this article, you agree and affirm the above, as well as that you are not being solicited to make a financial decision, and that you in no way are receiving any fiduciary projection, promise, or tacit inference of your ability to achieve financial gains.
More Like This
Web3 Privacy Begins With Your RPC by Hiro Kennelly
Into the Cosmos: The App-Chain Thesis Enters Ethereum by Liam McDonald