Era Wallet Closed The Blind Signing Gap That Has Cost Defi Billions

What Happened

The Bybit hack showed how private keys can stay protected while a malicious approval still drains assets.

ERA Wallet introduces ERA Lens™, an on-device transaction parsing engine that turns raw calldata into plain-language details before signing.

On May 12, the Ethereum Foundation and an Ethereum Working Group of wallet developers and security firms launched Clear Signing, an open standard for readable Ethereum transaction approvals. The announcement called blind signing a structural flaw linked to billions in user losses, including the Bybit hack.

For simple transfers, users expect to see a recipient address and an amount. DeFi transactions are more complex. A smart contract approval can involve a function call, token permission, spend limit, destination address, swap path, lending action, staking action, or contract upgrade.

Market Context

Blind signing has often been treated as a wallet UX issue, a user education issue, or a warning screen issue. Users need to understand what a transaction will do before approval, otherwise the final confirmation screen becomes a weak security control.

Taking the Bybit case as an example, security analyses described a workflow where signers believed they were approving a routine transfer, while the underlying transaction redirected control of the wallet proxy to an attacker contract.

Why It Matters

Blind signing remains one of DeFi’s most dangerous everyday risks because users often approve smart contract transactions they cannot read.

Hardware wallets became popular because they removed private keys from internet-connected devices. That was the right answer to a major risk: malware, phishing pages, browser attacks, and compromised laptops trying to steal seed phrases or sign directly from hot wallets.

DeFi created a different risk. Users now interact with smart contracts every day. They approve token permissions, bridge assets, swap through routers, deposit into vaults, stake, lend, borrow, claim rewards, and connect to new protocols. Each action can contain complex calldata.

Details

For DeFi users, the same pattern appears every day:

A wallet asks for approval;

A hardware device shows a hash, encoded calldata, or a fragment of information only a developer can read;

The app looks familiar, the process feels routine, and the user signs.

Blind signing begins when cold storage protects the key, while the user approves an instruction they cannot read.

Blind signing is the act of approving a transaction without seeing the full transaction intent in human-readable form. When a wallet or dApp lacks clear signing support, users see unreadable hashes or encoded data, making it impossible to verify what they are authorizing.

The danger appears when the interface says one thing and the payload says another. A front-end, browser extension, or connected phone can display a clean transaction summary while the signing device receives data the user cannot interpret. Once signed, the blockchain executes the instruction exactly as authorized.

Cold storage protects private keys from extraction. Transaction visibility is a separate security problem.

A hardware wallet can keep the key offline and still ask the user to approve an unreadable transaction. The signing environment is secure, but the decision-making process can remain blind.

This is why clear signing became such an important security theme. Clear signing turns transaction data into readable fields, such as function, amount, recipient, token, and protocol.

The challenge, however, is coverage. Clear signing depends on supported wallets, supported dApps, metadata, and implementation across the ecosystem. Developers create JSON metadata for smart contract functions and submit it to a registry, after which compatible wallets can display the transaction in plain language.

DeFi moves quickly. New contracts, routers, protocols, aggregators, and app interfaces appear constantly. Users often leave integrated wallet environments to interact with third-party dApps. At that point, readable signing depends on whether the full path supports it.