The era of agents will further amplify the issue of "blind signing"—do you really understand what will happen in this transaction before you click to confirm?

Written by: imToken

For a long time, when discussing wallet security, we have commonly been reminded of two main things: keep your mnemonic phrase safe, and do not click on phishing links.

Because in self-custody wallets, the mnemonic phrase/private key always signifies control over assets, and its importance cannot be overstated. However, as AI Agents begin to enter scenarios involving wallets, transactions, payments, and on-chain executions, a new issue is becoming increasingly important, namely that even if your private key has not been leaked, assets may still be transferred due to erroneous authorizations, misleading signatures, or contaminated automated instructions.

In other words, wallet security is transitioning from "who can control the assets" to further address "why the assets are passively transferred, in what manner they are passively transferred, and whether this aligns with the user's true intentions."

This is also a key reason that Clear Signing was further pushed towards the Ethereum open standardization process on May 12. Objectively speaking, it does not aim to solve a new problem, but rather to address an old issue that has long existed in the crypto world: many users do care about security, but before clicking confirm, they simply do not understand what they are actually signing.

1. In the Era of AI Agents, the Security Boundary of Web3 is Being Quietly Extended

It is well known that thanks to the emergence of AI Agents, on-chain interactions in Web3 are evolving towards a more natural language interface.

For example, in the past, if you wanted to complete a transaction, you had to open the DApp, connect your wallet, choose the path, confirm the authorization, and initiate the transaction—all steps required personal action and confirmation through pop-ups; in the future, this process may be greatly simplified to a single command: help me find a higher-yield stablecoin pool, help me swap my airdrop for ETH, and so on.

From an experience perspective, this is certainly an improvement. AI Agents can help users understand information, break down steps, generate transactions, improve efficiency, and even automatically complete operations within a certain range of permissions.

However, the flip side of enhanced efficiency is that the security boundary has been extended.

Because at this point, the true determinant of the flow of funds is no longer just the user, but may also include the Agent's understanding, external data sources, and multiple other links. As long as any one of these links is compromised, what the user sees as "help me execute" could turn into something the attacker intends like "transfer for me."

Recently, attackers have induced systems related to AI Agents to execute abnormal transfers through prompt injection on X, involving 3 billion DRB tokens, estimated at about $150,000 to $200,000. The core of such incidents is not the traditional leak of private keys, but how the AI system understands inputs, how it gains permissions, and how it passes instructions to the on-chain execution layer.

This also validates that attackers do not necessarily need to directly breach wallets; as long as they get the Agent to mistakenly interpret malicious input as a valid command under excessive permissions, real financial losses can occur.

After all, in traditional internet scenarios, AI being prompted could result only in incorrect answers, leaking context, or executing erroneous APIs; but in crypto scenarios, once the Agent connects to the wallet, has authorization, and can initiate transactions, erroneous instructions can directly become on-chain transfers, which are irreversible. This shifts the security issues of AI Agents from just "model safety" to asset security.

Therefore, wallet security in the era of AI Agents cannot rely solely on "AI being a bit smarter" to resolve. The crucial point is that there must be a sufficiently clear, verifiable, and understandable security interface between the Agent generating transactions and the user confirming signatures.

This interface is the wallet.

2. Does clicking "confirm" really mean the user understands?

For ordinary users, the action they are most familiar with in wallets may be "confirm."

Connecting to DApps requires confirmation, swapping requires confirmation, authorizing tokens requires confirmation, cross-chain actions require confirmation, claiming airdrops requires confirmation, staking/borrowing or minting NFTs also require confirmation.

The problem is that many confirmation pages do not truly inform users of "what will happen after confirmation."

Often, users see only a string of function names, sometimes a bunch of incomprehensible hexadecimal data, and sometimes just a very vague Approve or Sign Message. Technically, this information may not be incorrect; however, for most users, it does not form an effective judgment.

This is the most dangerous aspect of "blind signing."

Blind signing does not mean that the user completely does not see anything; rather, the information they see is insufficient to support a judgment, just like when you prepare to sign a contract, but the content of the contract is written in a language you cannot understand, and only a "agree" button is presented. You certainly know you are signing, but you do not know what consequences you will bear after signing.

The Ethereum Foundation also emphasized in its announcement regarding Clear Signing that the final step in many major attacks is not a code vulnerability, but that users approved a transaction they cannot truly understand. If transaction confirmation is supposed to be the last line of defense for users controlling assets, then blind signing renders that line ineffective.

Therefore, if we say that the account abstraction of the past few years has solved "how to execute more conveniently," then Clear Signing solves "how to verify more clearly before execution." These two actually complement each other—because without a better signing explanation, the more complex the automated execution and the stronger the account capabilities, the more likely it is to create larger spaces for misoperation.

ERC-7730 emerges in this context. According to the proposal itself's description, it is a structured data format for Clear Signing that supplements information beyond ABI and message types through a JSON file, transforming raw transaction data into a more human-readable display. It can also be directly consumed by machine systems such as transaction simulators.

To put it simply, ERC-7730 does not change on-chain transactions themselves, but adds a layer of standardized explanation between the transaction and the user. For example, in the past, wallets may only show function selectors and parameters, but with ERC-7730 added, it can display user-readable specific operations.

On this basis, any wallet supporting ERC-7730 can present the raw function selector and integer parameters as something like "Swap 1,000 USDC for at least 0.42 WETH." This may seem like a UI-level improvement, but in reality, it fundamentally upgrades security capabilities:

Only when users understand the transaction content does confirmation have real significance, and a wallet that can structure and display transaction intent gives users the opportunity to identify problems before signing.

3. Verifiable UI: What users see is what will actually happen

This brings us back to the Verifiable UI that we have been emphasizing recently.

If the goal of Clear Signing is to let users understand what they have signed, then the problem Verifiable UI aims to solve is more advanced: can the content that users see establish a trustworthy correspondence with the actual on-chain execution?

This is critically important in the Web3 context.

Many users are accustomed to trusting the DApp frontend; if the page says "claim rewards," they believe they are claiming rewards; if the page says "stake," they think they are staking; if the page mentions "security verification," they assume it is merely for identity verification.

However, what can actually move assets is not the button on the webpage, but the final transaction signed in the wallet.

DApp frontends can be attacked, domain names can be spoofed, page texts can be disguised, and the information read by AI Agents could even be sourced from contaminated webpages or social content. If the wallet simply mechanically pops up a confirm button, users still remain in a state of "trusting the frontend."

This highlights the important significance of imToken's plan to support ERC-7730 and advance Verifiable UI + Clear Signing.

It is not just about displaying a few more lines of text on the confirmation page but transforming the wallet from "the last button of the transaction" into "the last layer of verification before signing." When the user or AI Agent is ready to initiate a transaction, the wallet needs to do its best to inform the user of which contract this transaction truly calls, what assets are actually being transferred, who the authorized party is, the scope of authorization, and whether the final result aligns with what is displayed on the page.

This capability will become increasingly important in the era of AI Agents.

Because Agents can assist users in many tasks, but they can also make mistakes; users cannot delegate all judgment to the Agent. The wallet also cannot simply present the transaction generated by the Agent for users to confirm without scrutiny; rather, a more reasonable approach is for the Agent to enhance efficiency and for the wallet to uphold security boundaries.

This embodies the value of Verifiable UI + Clear Signing. It is not about stopping users from using new technologies, but rather ensuring that new technologies operate within more verifiable boundaries. Especially with smart accounts, AI Agents, automated transactions, and cross-chain executions becoming increasingly prevalent, the wallet confirmation page should not remain in the low information density state of "Confirm / Approve," but should become a key interface for users to understand on-chain actions (for further reading, see "From the Kelp DAO Incident to Verifiable UI: Why 'Verifiable Interfaces' Will Be the New Decentralized Security Baseline?").

In Conclusion

The crypto industry has always been striving for a better user experience.

From mnemonic phrases to smart accounts, from manual operations to AI Agents, from single transactions to batch executions, wallets are becoming more powerful and closer to the usage patterns of everyday internet products. However, the more this is the case, the more we cannot ignore a fundamental fact: on-chain transactions are irreversible, and signing remains the most critical step before the flow of user assets.

In the past, we often said "do not leak your mnemonic phrase"; in the future, with the extensive infiltration of AI Agent capabilities into Web3 and on-chain environments, we may need to add: do not sign transactions that you do not understand, and do not let Agents execute unverifiable commands for you.

Ultimately, whether it is the Ethereum Foundation promoting the standardization of Clear Signing or imToken planning to support ERC-7730 and advance Verifiable UI + Clear Signing, it essentially points in the same direction:

The wallets of the new era must not only be easier to use but also more trustworthy, serving as true assistants for users to understand on-chain activities.