tags: [[Security]] This doc relates to [[EIP2612 Signed token approvals]][[EIP3009 Transfer with Authorization]] [[EIP712 Ethereum typed structured data hashing and signing]]. Inspiration comes from [[Salmonella Contract]] Rough Implementation is in [[Permit Singleton]]doc ~This doc is a creative collaboration between Nathan & Anett & Simon & Ronan.~ # Permits General - Permits allow 3rd party signing the contracts and let 3rd party to sign in and pay tx fees. User create a signature that permits 3rd party to move their tokens but they wont sign every detail of what they consent to. - Permits can allow contract to use users token without the he user first needing to first to send an `approve()` transaction. - Permits does not have any logic but can have logic mechanisms like time frame - deadline which adds time frame and time locks for security - Permits allows you to approve NFT by NFT without approving all the NFTs __ # Permits vs non-permits transactions **Permits** Instead of signing approve transaction, user signs the data [[approve]] (spender, amount) > - User signs the signature - via Permit which will sign the the [[approve]] (myContract.address, amount) function. > - User submits signature to `myContract.doSomething(signature)` > - `myContract` uses `token.permit` to increase allowance, followed by `token.transferFrom` **Regular tx** > - User submits `token.approve(myContract.address, amount)` transaction > - Wait for transaction confirmation > - User submits second `myContract.doSomething()` transaction which internally uses `token.transferFrom` Source: https://soliditydeveloper.com/erc20-permit ## Usability of Permits "Having a permit or something similar is pretty helpful, because it enables transactions without fees, and for transactions to be batched. For example if you have an NFT with a permit, and I am an exchange, then you can sign a “permision” which allows me to move your NFT to a certain address. I can now move your NFT for you and pay your transaction costs. If lots of people give me permission I can move all their NFT’s in a single transaction."- Nathan # Implementation & Examples Here's an example of a vulnerable implementation: -Notice the 'to' address is not signed- https://github.com/archerdao/archerswap/blob/master/packages/smart-contracts/contracts/ArcherSwapRouter.sol#L63 Implementation: https://www.npmjs.com/package/eth-permit Same implementation but GitHub link: https://github.com/dmihal/eth-permit Example code: https://github.com/makerdao/developerguides/blob/master/dai/how-to-use-permit-function/how-to-use-permit-function.md [[ERC20]] implementation of DAI by Maker: https://docs.makerdao.com/smart-contract-modules/dai-module/dai-detailed-documentation#3-key-mechanisms-and-concepts > We recommend any users using the `approval` for a specific amount be aware of this particular issue and use caution when authorizing other contracts to perform transfers on their behalf. > There is a slight deviation in `transferFrom` functionality: If the `src == msg.sender` the function does not require `approval` first and treats it as a normal `transfer` from the `msg.sender` to the `dst`. # [[Simple-explanantion]] ELI5 explanation: Permits are permissions that sends the approve tx to allow dApp to use / spend your tokens. Example: Uniswap asks you for using DAI in order to swap DAI for some other token # How to use Permit function (Needs to be implemented correctly) The ERC721 and ERC1155 have implementation that allows 3rd party to transfer tokens between accounts, I assume this is helpful in case of the artist is new to blockchain, just installed MetaMask and someone sent the artist ETH for tx so the artist can upload the NFT and the platform handles the sale - artist sells the artwork to platform, platform sells the artwork to buyer on behalf or artist. > This is done via set[[Approval]] function which is a line of Solidity code that gives permission to Marketplace to sell your NFT to buyer - the account that bids the highest amount **[[Implementation]] use case** Adding permits to the contract will require an artist (creator) to send approval tx for the NFT to be send to the owner (winner of the auction / buyer) when the auction ends or when someone will want to buy the NFT. "When you sell an NFT on a Marketplace you do a call to approve the marketplace contract to manage this NFT for you. This way, when a sale occurs, the Marketplace transfers the NFT from you to the other account. But until then, the NFT stays in your account, you didn't put it in an escrow. " - Simon ## Use case for [[New standard - suggestions]] Implementation Markerplace contract could just request the user to sign a approval message (no tx) and use that as part of the sale offer matching. Permit will remove the need to pre-approve the marketplace contract, it can be done just at the point of purchase. Permit would allow sale of the NFT not create contract. The NFT will be created by usual tx, and there will be requirement to sign message - permit that would allow the NFT to be on sale. It seems like we are going to have implementation that will be extension of both ERC721 and ERC1155 standards. Permits will be used as off chain message signatures that will approve (confirm) purchase of the NFT. Author of the NFT will sign message with his wallet which will trigger sale function. ### How permits reduces the need to do on-chain tx with less gass used ? Permits are messages not transactions. They are informative pop ups in wallets that informs you about the actions. # Futher [[reading]] OpenZeppelin implementation of Permit function to [[ERC20]] https://forum.openzeppelin.com/t/add-erc20-permit-function/2706 Uniswap Permits integration https://uniswap.org/docs/v2/smart-contract-integration/supporting-meta-transactions/ A Long Way To Go: On Gasless Tokens and ERC20-Permit https://soliditydeveloper.com/erc20-permit