Clear Signing Proxy
What is Blind Signing?
When you use a hardware wallet (Ledger, Trezor, Keystone, etc.), sometimes the screen just shows you a long piece of hexadecimal gibberish when you try to confirm a transaction. That’s blind signing: you’re literally signing something you can’t read.
It’s like agreeing to a contract in a language you don’t understand, hoping it does what you think it does.
Why does this happen?
- Hardware wallets can’t run full internet-connected apps (for security).
- They don’t know about every new DeFi protocol or NFT marketplace.
- Without that knowledge, they can’t translate the raw transaction data into something human-readable.
So the fallback is: “Here’s the hex. Sign if you trust it.” Which is… not great.
What is Clear Signing?
Clear signing is the opposite: you see what you are actually agreeing to.
For example:
- “Send 1 ETH to 0xABCD…” instead of “0xa9059cbb0000...”
- “Swap 100 USDC for ~0.05 ETH on Uniswap” instead of a page of function selectors.
It’s about human-readable guarantees.
Why is Clear Signing Hard?
The big problem: every new app or protocol has new smart contracts, new ABIs, new ways to encode data.
For a hardware wallet to support clear signing today, it needs:
- To whitelist the contract address
- To parse the contract’s ABI
- To keep its firmware up to date
That’s not scalable. DeFi moves fast; hardware wallet updates don’t.
Our Approach: Balance-Based Clear Signing
Instead of parsing every possible smart contract, we flip the model:
👉 We don’t care what the call does.
👉 We only care what changes in balances afterwards.
You, the user, say:
- “After this transaction, I should have +100 USDC more.”
- “I should have -0.1 ETH less.”
- “Nothing else should change.”
Our singleton proxy contract enforces that:
- It proxies the call.
- It checks the before/after balances.
- If the results don’t match what you declared → the whole transaction reverts.
This way, the hardware wallet only needs to display the balance differences you already declared. That’s all you sign off on.
Why This is Good
- ✅ Protocol-agnostic – works with any smart contract, new or old
- ✅ One contract per chain – no need for per-user deployments
- ✅ Simple UX – wallet just needs to show you “After: +100 USDC, -0.1 ETH”
- ✅ Permissionless – no whitelists, no gatekeepers
What are the Limitations?
It’s not a silver bullet:
- Balance checks can’t cover non-balance state (like governance votes, NFT metadata, staking positions).
- If you declare your expected balances wrong, the transaction may just revert (annoying) or leave leftover tokens sitting in the proxy (anyone can later sweep them).
- Approvals are literal: if you tell it to grant an allowance, it does, even if the spender is malicious.
So: it makes value transfers safe and clear, but it doesn’t magically protect against every smart contract bug or scam.
Hardware Wallet Integration
Integration is straightforward:
- Hardware wallet firmware only needs to parse our proxy contract ABI.
- Display the balance changes and metadata (symbol, decimals).
- No need to chase every new DeFi protocol.
- One integration → universal coverage.
Why It Matters: The Bybit Hack Example
In 2023, the Bybit hack showed the danger of blind signing. Attackers tricked users into signing opaque calldata that looked meaningless on the wallet screen but actually drained funds.
If users had seen:
- “After this transaction: -1000 USDT”
instead of hex, the attack would’ve been obvious.
Our proxy makes that possible — without requiring the hardware wallet to “understand” the attacker’s custom contract.
TL;DR
Blind signing is broken.
Clear signing is the fix, but traditional ABI parsing won’t scale.
Balance-based clear signing makes transactions transparent, universal, and permissionless.
Hence EIP-8009.