Now that EIP7702 is live, I think it is time to retire Permit2, as it provides nothing that EIP7702 doesn't, and it is an added security risk.
What is Permit2?
Before Permit2, there was Permit: a method to grant token approvals using gasless signatures.
Permit improved UX for things like swaps so that you don't need to send two separate transactions for approve + swap.
However, there was one important drawback to Permit: it needed to be implemented by the token.
That is where Permit2 came in. Permit2 was created by Uniswap as a way to add Permit functionality to any token, even if the token didn't explicitly add support for it.
This sounds great in theory but in practice it came with quite a few drawbacks.
Drawback 1: easier to exploit
Permit2 requires users to give an unlimited approval to the official Permit2 contract, and this approval then enables the new signature functionality.
But Permit2 signatures are very flexible and allow you to give permissions to many tokens at once. This makes it easier for scammers to abuse and steal multiple assets with just a single signature.
Drawback 2: friction for developers
Supporting Permit or Permit2 signatures required quite a bit of extra development effort, and supporting both of them on top of "regular" approvals was an even bigger hassle, especially within smart contracts.
In some cases dapps decided to unify this into only using Permit2, but that actually can lead to worse UX than before, since now you need to give an unlimited approval to Permit2 even if the token you're swapping already supported Permit signatures natively.
Solution: EIP7702
Now that EIP7702 (and EIP5792) are live on Ethereum, developers can replace Permit2 with batch transactions. While developers do need to implement this explicitly on the dapp UI side, there is no extra code required in the smart contracts (unlike Permit2).
While similar security concerns exist for batch transactions as they do for Permit2, batch transactions offer more benefits, and there is no reason to keep multiple solutions to the same problem around long-term.
While it still may take a while for all wallets and dapps to catch up with EIP7702, I expect we can properly retire Permit2 by the end of this year.
What is Permit2?
Before Permit2, there was Permit: a method to grant token approvals using gasless signatures.
Permit improved UX for things like swaps so that you don't need to send two separate transactions for approve + swap.
However, there was one important drawback to Permit: it needed to be implemented by the token.
That is where Permit2 came in. Permit2 was created by Uniswap as a way to add Permit functionality to any token, even if the token didn't explicitly add support for it.
This sounds great in theory but in practice it came with quite a few drawbacks.
Drawback 1: easier to exploit
Permit2 requires users to give an unlimited approval to the official Permit2 contract, and this approval then enables the new signature functionality.
But Permit2 signatures are very flexible and allow you to give permissions to many tokens at once. This makes it easier for scammers to abuse and steal multiple assets with just a single signature.
Drawback 2: friction for developers
Supporting Permit or Permit2 signatures required quite a bit of extra development effort, and supporting both of them on top of "regular" approvals was an even bigger hassle, especially within smart contracts.
In some cases dapps decided to unify this into only using Permit2, but that actually can lead to worse UX than before, since now you need to give an unlimited approval to Permit2 even if the token you're swapping already supported Permit signatures natively.
Solution: EIP7702
Now that EIP7702 (and EIP5792) are live on Ethereum, developers can replace Permit2 with batch transactions. While developers do need to implement this explicitly on the dapp UI side, there is no extra code required in the smart contracts (unlike Permit2).
While similar security concerns exist for batch transactions as they do for Permit2, batch transactions offer more benefits, and there is no reason to keep multiple solutions to the same problem around long-term.
While it still may take a while for all wallets and dapps to catch up with EIP7702, I expect we can properly retire Permit2 by the end of this year.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
