Sooner or later a website will ask your wallet to do something, and a popup will appear asking you to approve it. Most people learn to tap the blue button and move on. That habit is fine until the day the request is not what it looks like. The good news is that there are only a few kinds of request a wallet can make, each does a very specific thing, and once you can tell them apart, a lot of the risk disappears.
This guide explains the three you will meet most often: connecting, signing a message, and confirming a transaction. It applies to any self custody wallet on Base, including Simple Base Swap.
Connecting is not the same as approving
The first thing a website usually asks for is a connection. You tap connect, your wallet shows the site name, and you confirm.
A connection does one thing: it shares your public wallet address with the site so the page can show your balances and prepare actions for you. That is all. Connecting does not move funds, does not grant spending permission, and does not sign anything on the blockchain. Your address is already public information, visible to anyone on a block explorer, so handing it to a site is low risk by itself.
The risk comes next, in what the connected site then asks you to sign. A connection is the doorway. The signature is the decision.
The two kinds of signature
Once connected, a site can ask your wallet to sign something. There are two very different kinds, and wallets do not always make the difference obvious.
Transaction signatures
A transaction signature is the normal one. You are telling the Base network to do something on chain: send tokens, swap, or grant an approval. These cost a small gas fee in ETH, they appear in your wallet history, and you can look them up later on a block explorer. When you confirm a swap in a wallet, this is what you are doing. Because they cost gas and show up on chain, transactions are visible and traceable.
Message signatures
A message signature is quieter. You sign a piece of text or structured data, it costs no gas, and nothing appears on chain at the moment you sign. Message signatures have honest, everyday uses. Logging in to a site by proving you control an address is the common one, often shown as a plain sentence like "Sign in to confirm you own this wallet." Signing a harmless login message cannot move your funds.
The catch is that not every message is a harmless login. Some structured messages are permissions in disguise.
The permission hidden in a signature
Modern token standards let you grant a spending approval by signing a message instead of sending a transaction. The most common is called a permit, defined by a standard known as EIP-2612, along with a related system from Uniswap called Permit2. The idea is convenient and legitimate: instead of paying gas for a separate approval, you sign an off chain message that says a given contract may spend a given amount of a given token.
Used honestly, this saves you a step and a fee. Used dishonestly, it is one of the most effective scams in crypto. A malicious site shows you a signature popup that looks like a routine login, but the data you are signing is actually a permit that authorizes an attacker's contract to move your tokens. You sign, nothing seems to happen, and moments later the approval is redeemed on chain and your balance is gone. Because the dangerous step was an off chain signature, there was no gas fee and no obvious transaction to warn you.
Security researchers who track these losses, such as Scam Sniffer, have reported that permit and signature phishing became one of the largest single sources of stolen funds in recent years, precisely because the request looks so ordinary.
How to read a request before you approve
You do not need to understand the cryptography. You need a short, calm checklist.
- Check the site, every time. Confirm the exact domain in your browser bar before you connect or sign. Drainer sites copy real brands and use look alike addresses. If you reached the page from a direct message, a giveaway, or an unexpected email, treat it as hostile.
- Read what the popup actually says. A login signature names the site and says something like prove ownership. A permit names a token, a spender, and an amount. If a request mentions a token and a spending amount, it is a permission, not a login, no matter how it is labeled.
- Be suspicious of unlimited. If an amount is shown as unlimited or a very large number, ask why a simple action needs unlimited access to your funds.
- Slow down when you feel rushed. Countdown timers, "claim before it expires," and "your wallet is at risk, sign to secure it" are pressure tactics. A real service does not lose anything if you take a minute to check.
- When in doubt, reject. Rejecting a signature costs you nothing. You can always retry a genuine action. There is no undo after you sign a malicious one.
A few habits that lower the risk for good
Keep the bulk of your funds in a wallet you do not connect to random sites, and use a smaller, separate wallet for experimenting. Periodically review the approvals you have granted using a block explorer or a reputable approval checker, and revoke any you no longer recognize. And remember the one rule that never changes: no legitimate site, support agent, or wallet will ever ask for your recovery phrase, and signing a message is never a reason to type it in.
A signature popup is not something to fear. It is a question your wallet is asking on your behalf. Once you know the difference between connecting, logging in, and granting a permission, you can answer that question with confidence instead of reflex.
Sources: SlowMist on permit signature phishing, DEXTools on wallet drainer attacks, eco.com guide to Permit2.