The Ethereum Foundation on Tuesday launched the Clear Signing security standard, aimed at ending "blind signing" of transactions. The feature will show users a readable description of an operation before they confirm it, replacing unreadable hex data. Leading hardware and software wallet providers have already joined.
The nature of the vulnerability
Blind signing has been part of Ethereum since the beginning. When confirming a transaction, wallets display technical data in byte-code format that most people cannot read or interpret. Users end up signing operations without knowing what those operations will do to their assets.
"Approving a transaction is meant to be the last line of defense when exercising control over what happens to your assets on the blockchain. When it is done blindly, that defense does not hold."
Ethereum Foundation, blog post on the Clear Signing launch, May 13, 2026
Attacks exploiting blind signing follow a predictable pattern. A phishing site asks a victim to approve what looks like a routine transaction, which actually grants the attacker full control over the victim's assets. Because the wallet only shows unreadable byte-code, most people click "Confirm" and lose everything.
Trezor CTO Tomáš Sušánka said attackers have been exploiting this gap "relentlessly" because no widely accessible security feature existed to distinguish malicious smart contracts from legitimate ones. This causes users to "unknowingly sign them, and lose everything," he said.
How Clear Signing works
Clear Signing implements the "What You See Is What You Sign" (WYSIWYS) principle. Before confirming a transaction, the wallet displays it in human-readable form: smart contract function names, amounts, addresses and other parameters in place of hex code.
The standard builds on two existing ERCs. ERC-7730 defines the format for human-readable transaction descriptions, and ERC-8176 creates an attestation and integrity verification framework. The standard also includes a decentralized off-chain registry for distributing descriptors and developer SDKs.
The descriptor registry will be open. Protocol developers can publish descriptions of their smart contracts, and wallets will pull those descriptions to show users. The ERC-8176 attestation system lets auditors verify the accuracy of those descriptions independently of contract creators.
Participants and timeline
Among the first participants in the standard: Ledger, Trezor, MetaMask, WalletConnect, Keycard, Argot, Sourcify, Zama, ZKnox and Fireblocks. Ledger had already developed ERC-7730 as the base descriptor standard and is the key technical contributor to the solution.
Trezor plans to implement Clear Signing by June 30, 2026. Sušánka called the standard "a critical security advancement for our entire industry" and added that its goal is to make transactions human-readable before approval.
The Trillion Dollar Security Initiative was launched by the Ethereum Foundation in May 2025 to make the network secure enough for a scenario where billions of people hold personal funds directly on-chain. Clear Signing is one of the practical steps toward that goal.
Losses and the pressure for change
The most prominent example of blind signing exploitation is the Bybit hack in 2025, which caused losses of roughly $1.4-1.5 billion. Attackers compromised a third-party service provider and manipulated transaction signatures, while Bybit staff confirmed the operations without noticing the substitution. It remains the largest crypto theft on record.
The problem goes well beyond one incident. North Korea-linked hacking groups have stolen more than $7 billion in assets since 2009, with crypto making up a large share of that. Clear Signing will not stop all attacks, but it removes one of the simplest attack vectors that bad actors have been using systematically.
Adoption will not happen overnight. Each wallet integrates the standard at its own pace, protocol developers need to publish their descriptors, and until they do, ordinary users remain exposed. The direction is set, though, and the key players in the self-custody market have already signed on.
Comments
Your email address will not be published. Required fields are marked *