Ethereum Pushes for "What You See Is What You Sign": Why Clear Signing is a Necessary Security Patch for the AI Era?
- Core Argument: As AI Agents enter crypto wallets and on-chain execution environments, wallet security is shifting from "private key control" to "transaction intent verification." Clear Signing and Verifiable UI are becoming the core pathways to prevent users from losing assets due to blind signing or misleading signatures.
- Key Elements:
- While AI Agents improve efficiency, they also extend the security perimeter. Attackers can use prompt injection to induce the system to execute abnormal transfers (like the case of 3 billion DRB tokens). Asset security no longer relies solely on private keys.
- Most users fail to understand transaction data (such as hex parameters) when "blind signing." The Ethereum Foundation emphasizes that ERC-7730 (Clear Signing standard) transforms raw data into human-readable content, such as "Swap 1,000 USDC for 0.42 WETH."
- Verifiable UI requires a trustworthy correspondence between what the user sees about a transaction and the on-chain execution result, preventing the DApp frontend from being tampered with or spoofed into a real asset transfer.
- ERC-7730 uses structured JSON files to supplement ABI information, which wallets and transaction simulation systems can directly consume, enhancing the verification capability before signing.
- In the AI Agent era, wallets need to evolve from a mere "confirm button" to the "last line of verification before signing." In automated transactions, they must guard the asset boundary, ensuring the user understands the intent and consequences of each operation.
For a long time, when discussing wallet security, the two most common reminders were: safeguard your seed phrase and don't click on phishing links.
In self-custodial wallets, seed phrases and private keys represent ultimate asset control, and their importance cannot be overstated. However, as AI Agents begin to integrate into wallets, transactions, payments, and on-chain execution scenarios, a new issue is becoming increasingly critical: Even if your private key is never compromised, your assets can still be transferred away due to a wrong authorization, a misleading signature, or a compromised automated instruction.
In other words, the focus of wallet security is shifting from "who controls the assets" to "why and how the assets moved, and whether that movement aligns with the user's true intent."
This is precisely why Clear Signing was further pushed into the Ethereum Open Standardization process on May 12. Objectively speaking, it doesn't aim to solve a brand new problem, but rather a long-standing issue in the crypto world: Many users do care about security; they simply cannot understand what they are signing before clicking "confirm."
I. The AI Agent Era is Quietly Extending Web3's Security Perimeter
As we know, thanks to AI Agents, on-chain interactions in Web3 are evolving towards more natural language interfaces.
For instance, to complete an operation in the past, you had to manually open a DApp, connect your wallet, select a route, confirm authorization, and initiate a transaction. Every step required personal action and pop-up confirmation. In the future, this complex process could be drastically simplified to a single command: "Find me a stablecoin pool with better yields," or "Help me claim my airdrop and swap it for ETH."
From a user experience perspective, this is undoubtedly progress. AI Agents can help users understand information, break down steps, generate transactions, improve efficiency, and even automatically execute operations within certain permission boundaries.
However, the flip side of increased efficiency is an extended security perimeter.
The ultimate flow of funds is no longer determined solely by the user; it now also depends on the Agent's interpretation, external data sources, and other links. If any one of these links is compromised, a user's command to "help me execute" could turn into an attacker's desired "transfer my assets."
Recently, attackers used prompt injection on X to trick an AI Agent system into executing an anomalous transfer involving 3 billion DRB tokens, valued at approximately $150,000 to $200,000. The core of such incidents is not a traditional private key leak, but how the AI system understands input, obtains permissions, and passes instructions to the on-chain execution layer.
This confirms that attackers don't necessarily need to break into the wallet directly. Simply making the Agent misinterpret a malicious input as a valid command under excessive permissions can lead to actual financial loss.
In traditional internet scenarios, prompt injection affecting an AI might only result in incorrect answers, context leakage, or erroneous API calls. But in the crypto world, once an Agent is connected to a wallet, has authorizations, and can initiate transactions, a wrong command can directly trigger an irreversible on-chain transfer. This elevates AI Agent security from a mere "model safety" issue to an "asset security" concern.
Therefore, wallet security in the AI Agent era cannot rely solely on "making AI smarter." The critical factor is a clear, verifiable, and understandable security interface between the Agent generating the transaction and the user confirming the signature.
This interface is the wallet.
II. Does Clicking 'Confirm' Really Mean the User Understands?
For ordinary users, the most familiar action in a wallet is probably clicking "Confirm."
You confirm to connect to a DApp, confirm a Swap, confirm a token approval, confirm a cross-chain bridge, confirm a claim, confirm staking/lending, or minting an NFT. It's a constant stream of confirmations.
The problem is that many confirmation screens don't truly inform the user about "what will happen after confirmation."
Often, the user sees a function name, sometimes a string of incomprehensible hexadecimal data, or a very generic "Approve" or "Sign Message" prompt. Technically, this information might not be incorrect; but for the vast majority of users, it provides no basis for a sound judgment.
This is the most dangerous aspect of blind signing.
Blind signing doesn't mean the user didn't look at all; it means the information presented is insufficient for them to decide. It's like signing a contract written in a language you don't understand, leaving only an "I Agree" button visible. You know you are signing something, but you don't know the consequences of your signature.
The Ethereum Foundation also emphasized in its announcement related to Clear Signing that the final step of many major attacks isn't a code vulnerability, but a user approving a transaction they couldn't truly understand. If transaction confirmation is meant to be the last line of defense for user asset control, then blind signing renders that defense useless.
So, if Account Abstraction over the past few years addressed "how to execute more conveniently," Clear Signing tackles "how to verify more clearly before execution." These are two sides of the same coin. Without better interpretation of signatures, more complex automated execution and more powerful account capabilities create a greater potential for catastrophic errors.
This is where ERC-7730 comes in. According to the EIP-7730 proposal, it is a structured data format for Clear Signing. It uses JSON files to supplement information beyond ABIs and message types, transforming raw transaction data into a display format more suitable for human verification, while also being consumable by machine systems like transaction simulators.
More simply put, ERC-7730 doesn't change the on-chain transaction itself; it adds a standardized layer of interpretation between the transaction and the user. An example makes this clear: as shown below, a wallet might previously only display the function selector and parameters. But with ERC-7730, it can present the specific, user-readable operation content.
Based on this, any wallet supporting ERC-7730 can display a raw function selector and integer parameters as "Swap 1,000 USDC for at least 0.42 WETH". This might seem like a UI improvement, but it's a fundamental upgrade in security capabilities:
Only when the user understands the transaction content does confirmation have real meaning. And only when the wallet can structurally display the transaction intent does the user have a chance to spot a problem before signing.
III. Verifiable UI: Ensuring What You See is Exactly What Will Happen
This brings us back to Verifiable UI, a concept we've been emphasizing recently.
If the goal of Clear Signing is to let users understand what they are signing, Verifiable UI aims to go a step further: can a trusted correspondence be established between what the user sees and the actual on-chain execution?
This is critical in the Web3 context.
Many users tend to trust the DApp frontend. If the page says "Claim Rewards," users assume they are claiming rewards. If it says "Stake," users assume they are staking. If it says "Security Verification," users assume it's just identity verification.
But the tool that actually moves assets is not the button on a webpage; it's the transaction ultimately signed in the wallet.
DApp frontends can be attacked, domains can be spoofed, page text can be disguised, and even information read by an AI Agent might come from compromised web pages or social media content. If the wallet mechanically presents a confirmation button, the user remains in a state of "trusting the frontend."
This is the significance of imToken's plan to support ERC-7730 and advance Verifiable UI + Clear Signing.
It's not simply about displaying a few more lines of text on the confirmation page. It's about transforming the wallet from the "last button for a transaction" into the "final verification layer before signing." When a user or AI Agent prepares to initiate a transaction, the wallet should do its best to inform the user: which contract is actually being called, which asset is actually being transferred, who is the approval target, what is the scope of the approval, and whether the final result matches what the page displayed.
This capability becomes even more critical in the AI Agent era.
Agents can help users with many tasks, but they can also make mistakes. Users cannot delegate all judgment to the Agent, and the wallet cannot just pass the Agent-generated transaction directly for the user to confirm in its raw form. A more reasonable approach is for the Agent to focus on improving efficiency, while the wallet focuses on guarding the boundaries.
This is the value of Verifiable UI + Clear Signing. It's not about preventing users from using new technology, but enabling it within verifiable boundaries. Especially as smart accounts, AI Agents, automated trading, and cross-chain execution become more common, the wallet confirmation screen should no longer remain in a low-information-density state of "Confirm/Approve." It should evolve into a critical interface for users to understand on-chain actions (Further reading: From the Kelp DAO Incident to Verifiable UI: Why 'Verifiable UI' is the New Decentralized Security Baseline?).
Final Thoughts
The crypto industry has always pursued better user experiences.
From seed phrases to smart accounts, from manual operations to AI Agents, from single transactions to batch executions, wallets are becoming more powerful and closer to the usability of everyday internet products. But the more they evolve, the more we must not lose sight of a fundamental truth: on-chain transactions are irreversible, and signing remains the most critical step before user assets can move.
In the past, we often said, "Don't leak your seed phrase." In the future, as AI Agent capabilities deeply permeate Web3 and on-chain activities, we may need to add: Don't sign a transaction you don't understand, and don't let an Agent execute an instruction you cannot verify.
Ultimately, whether it's the Ethereum Foundation promoting the standardization of Clear Signing, or imToken planning to support ERC-7730 and advance Verifiable UI + Clear Signing, it all points in the same direction:
The next-generation wallet must not only be more user-friendly but also more trustworthy, truly becoming the user's ally in understanding the on-chain world.
