What is Permit2?
Permit2 is an on-chain approval router created by Uniswap Labs that allows users to approve any ERC-20 token (not just those supporting ERC-2612) through signature-based permits. It eliminates the need for separate on-chain approval transactions, saving gas and improving UX.
Permit2 is deployed as a singleton contract — one address handles approvals for all tokens across all protocols that integrate it.
How Permit2 Works
Traditional Approval Flow
- User calls
approve(spender, amount)— costs gas - User calls the swap/trade — costs gas
- Total: 2 transactions
Permit2 Flow
- User signs an off-chain message authorizing the protocol to spend tokens
- Protocol submits the signature + trade in a single transaction
- Total: 1 transaction — gas saved, UX improved
Permit2 also introduces time-limited approvals: instead of unlimited approvals, users can set expiration dates on token permissions.
Security Features
| Feature | Benefit |
|---|---|
| Time-based expiry | Approvals auto-expire — no permanent spend permissions |
| Nonce-based replay protection | Each signature can only be used once |
| Batch approvals | Approve multiple tokens in one signature |
| Witness-based signing | Sign arbitrary data alongside the permit for custom logic |
How Scammers Exploit Permit2
Permit2’s signature-based model has a dark side: users sign messages without understanding what they authorize.
Scammer creates fake dApp → asks user to “verify wallet” or “claim airdrop” → user signs Permit2 message → scammer now has spending permission for their tokens → tokens drained
Because Permit2 works with off-chain signatures, the transaction doesn’t appear in the mempool — it can be executed at any time before expiry, and standard front-running protection (private RPCs) doesn’t help.
How to Protect Yourself
- Never sign messages from unverified dApps — a signature can be as dangerous as a transaction
- Use Permit2 dashboard to review and revoke active permissions
- Check the contract address in the signing prompt — if it’s not a trusted protocol, reject
- Set short expiry times when possible — prefer 1-hour approvals over indefinite ones
- Revoke unused approvals regularly using tools like revoke.cash or Etherscan’s token approval checker
Permit2 vs ERC-2612 Permit
| Aspect | ERC-2612 | Permit2 |
|---|---|---|
| Token support | Only tokens implementing ERC-2612 | Any ERC-20 token |
| Time limits | No native expiry | Built-in expiry support |
| Batch operations | No | Yes |
| Deployment | Per-token | Singleton (one contract for all) |
| Adoption | Limited | Growing rapidly (Uniswap, many dApps) |
Frequently Asked Questions
Q: Is Permit2 safe? A: Permit2 itself is a well-audited contract. The risk is not in the protocol but in what you authorize. Signing a Permit2 message from a scammer grants them token spending permission — always verify the requesting contract.
Q: How do I revoke a Permit2 approval? A: Visit revoke.cash or use Etherscan to find and revoke the Permit2 allowance for the specific token and spender address.