Permit3 is an open-source token approval protocol that enables multichain token permission with a single signature and full gas abstraction. It eliminates the need for redundant approvals and native gas tokens, enabling developers to simplify cross-chain token operations using a single user signature. Permit2, by contrast, solved the same problem on a single chain. If you already know Permit2 and you are weighing whether the upgrade is worth the integration work, this is the comparison you need.
This post walks through the concrete technical deltas between Permit2 and Permit3: the Unbalanced Merkle Tree structure, nonce management, the allowance model, backward compatibility guarantees, and where the gas numbers actually land. If you want the definitional overview of the protocol instead, start with our full Permit3 guide.
The One-Paragraph Summary
Permit2 lets a user sign one EIP-712 message to authorize token spending on a single chain. Permit3 lets a user sign one EIP-712 message to authorize token spending across every chain where Permit3 is deployed. The cryptographic trick that makes that possible is an Unbalanced Merkle Tree whose root is what the user actually signs, with each leaf scoping a per-chain permission. Permit3 also ships new nonce semantics, expanded allowance modes, ERC-7702 integration, and multi-token support for ERC-721 and ERC-1155. It keeps the full Permit2 interface intact so existing integrations upgrade in place.
Side-by-Side Technical Comparison
Dimension | Permit2 | Permit3 |
Chain scope | Single chain per signature | Multichain per signature via Merkle proof |
Contract address | Same address via singleton factory, chain-specific | Same address everywhere via ERC-2470 singleton |
Signing payload | EIP-712 typed data for one chain's permissions | EIP-712 typed data over the Merkle root of all chains' permissions |
Nonce model | Bitmap nonce (sequential-friendly) | Salt-based non-sequential nonces (async-friendly) |
Allowance modes | Transfer, Decrease | Transfer, Decrease, Lock, Unlock, Increase |
Token types | ERC-20 only | ERC-20, ERC-721, ERC-1155 in one interface |
ERC-7702 integration | Not native | Native |
Witness data | Supported | Supported (superset) |
Emergency stop | Per-nonce invalidation | Account locking (global) + per-nonce invalidation |
Backward compatibility | n/a | Implements full IPermit interface; drop-in replacement |
Unbalanced Merkle Trees, Explained
The core technical innovation in Permit3 is the Unbalanced Merkle Tree used to authorize permissions across multiple chains in a single signature. The tree's structure is deliberately asymmetric, and understanding why reveals the gas-efficiency argument for Permit3.
What a balanced Merkle tree would cost
A balanced Merkle tree assigns every leaf the same proof length. If you authorize permissions on 8 chains, every proof is 3 hashes deep. On cheap-gas chains like Arbitrum or Optimism, the proof verification is negligible. On Ethereum mainnet, where every hash in a Merkle proof burns real calldata and compute, 3 hashes on a long path still costs meaningfully more than a direct EIP-712 check.
How the unbalanced structure shifts cost
Permit3 orders chains in the tree by gas cost. Expensive chains sit close to the root with short proofs; cheap chains sit deep in the tree with longer proofs. The total amount of hashing happens wherever gas is cheap, and the expensive chain pays the minimum verification cost. The signer commits to the same total permission set, but the verification cost per chain is optimized.
The trade-off: proofs for cheap chains are longer than they would be in a balanced tree, which marginally increases their gas. The net is positive because the multiplier on Ethereum gas is so much larger than on L2 gas that every hash moved off Ethereum saves more than it adds elsewhere.
Why the hybrid shape matters
The Permit3 tree is not purely unbalanced. It is a hybrid: subtrees of related permissions (often per-token groupings) are balanced internally for simplicity, and the top-level structure connecting those subtrees is unbalanced to put the expensive chains near the root. This keeps the signing and verification code tractable while still capturing the gas asymmetry.
For applications that only target one chain, this is all moot. Permit2 works fine and the Merkle overhead is pure cost. For applications spanning multiple chains, the unbalanced design is the feature that makes one-signature cross-chain usable without eating the gas budget.
Nonce Management: Bitmap vs Salt
Permit2's nonce model uses a 256-bit bitmap, where each signature consumes one bit. This works well for sequential operations on a single chain but starts to break when permits are minted in bursts or across chains. Two permits signed at nearly the same moment can race for the same bitmap slot, forcing the wallet to pre-serialize signing or introducing retry logic.
Permit3 replaces the bitmap with a salt-based nonce. The signer chooses the salt. As long as each salt value is unique per signer, permits never collide. This is a small change with large implications.
Agentic systems can mint permits in parallel without coordinating through a single-threaded signer process.
Treasury ops can batch permits for multiple chains simultaneously without introducing a bottleneck.
Wallets can pre-sign a permit today for execution tomorrow without worrying about bitmap slot conflicts.
The trade-off is that the signer is responsible for salt uniqueness. In practice this is trivial (random 32-byte salt) but it is a responsibility shift versus Permit2's bitmap, which handled this automatically.
The Five Allowance Modes
Permit2 exposes two mutation modes on allowances: full transfer and decrease. Permit3 expands that to five.
Transfer pulls tokens from the signer to a recipient, deducting from the allowance. Same as Permit2.
Decrease lowers the allowance without moving tokens. Same as Permit2.
Increase raises the allowance from an existing permit. Useful for long-lived spenders that need to grow their budget without a fresh signature.
Lock freezes the allowance so it cannot be used until explicitly unlocked. Useful as a security control during a suspected compromise.
Unlock reverses a lock.
The expanded model lets Permit3 express flows that Permit2 cannot represent natively: pre-authorized budgets that grow over time, time-bound locks during high-risk windows, and graceful recoveries without having to invalidate all existing permits. If you are building a stablecoin rebalancing tool or any system that needs long-running authorizations, the five-mode model is notably more ergonomic.
Multi-Token Support: One Contract for ERC-20, ERC-721, ERC-1155
Permit2 only handles ERC-20. Teams building NFT marketplaces, gaming platforms, or any mixed-asset flow either wrote their own per-standard permit contracts or had users sign multiple different approval types.
Permit3 unifies the interface. A single permit can authorize any mix of ERC-20, ERC-721, and ERC-1155 movements in one signature. The spender receives the same permit call regardless of token standard and branches on the token type inside the contract. For an NFT marketplace that also accepts ERC-20 bids, this collapses what used to be three integration paths into one.
ERC-7702 Integration
EIP-7702 lets an EOA temporarily act as a smart contract for a single transaction. Permit3 ships native support for this pattern. An EOA can invoke Permit3 as part of a 7702 delegation, combining permission and execution in one transaction with no upfront smart-account deployment. For apps that want account-abstraction UX without forcing users into a separate smart wallet, this is the cleanest integration path.
Permit2 predates 7702 and has no native integration, so teams that want combined permit and execute flows have to build the glue themselves.
Backward Compatibility: What Actually Changes
The most important engineering property of Permit3 from an upgrade perspective: it implements the full Permit2 interface. Every function Permit2 exposes is present on Permit3 with the same signature and the same semantics. That means:
An app that accepts Permit2 signatures can swap the contract address to Permit3 and accept both Permit2-style and Permit3-style signatures without user-facing changes.
Wallets that already sign Permit2 messages can continue signing them; Permit3 will process them correctly.
Cross-chain functionality is strictly additive. Apps that only use single-chain permits pay no extra cost for the multichain capability they are not using.
This is the pragmatic choice that makes adoption realistic. A team that already shipped Permit2 does not need to re-audit their spender contract logic to upgrade to Permit3. The signature verification path is the same. The new capabilities (Merkle proofs, expanded allowance modes, multi-token) are opt-in.
Gas Cost: Does the Merkle Proof Eat the Savings?
The honest answer: for single-chain usage, Permit3 costs marginally more than Permit2 because of the Merkle verification overhead, even though the tree only has one leaf. The difference is small (a few thousand gas) and usually invisible in the context of a larger transaction.
For multichain usage, Permit3 wins cleanly. The alternative is separate Permit2 signatures on each chain, each requiring the user to hold native gas on that chain to sign it (because the spender contract needs gas to submit, and someone has to pay). Permit3 consolidates that into one off-chain signature. The cross-chain gas cost is paid only by the solver or relayer executing the permit on each destination chain, and the unbalanced tree structure keeps that cost low.
For applications that expect users to move stablecoins across more than one chain in a session, the net is dramatically in Permit3's favor. For a pure single-chain DEX, Permit2 remains slightly cheaper but the gap is small enough that most teams prefer the forward-compatibility of Permit3.
When Permit2 Is Still the Right Choice
Permit3 is not always the answer. A few cases where Permit2 still makes sense:
Single-chain-only applications with no multichain roadmap.
Contexts where the 2-3k extra gas per permit is material (very-high-volume single-chain DEX, for example).
Environments that cannot deploy new contracts yet (a chain where Permit3 has not been deployed).
Most teams reading this comparison do not fall into those categories, but they are worth flagging.
Migration Path: Permit2 to Permit3
A typical upgrade sequence for an app that already integrated Permit2:
Deploy or confirm Permit3 is available at
0xec00030c0000245e27d1521cc2ee88f071c2ae34on every chain you operate on.Update the spender contract's Permit2 address reference to the Permit3 address.
Test that existing Permit2-formatted signatures still verify correctly (they will, since Permit3 implements the Permit2 interface).
Add new signing flows that use the cross-chain Merkle structure for users opting into multichain.
Optionally expand to ERC-721/ERC-1155 support or the new allowance modes.
For the hands-on code, see our Permit3 developer implementation walkthrough. If you are thinking about the full lineage, our evolution-of-approvals guide traces the design decisions from ERC-20 through Permit3.
Where Permit3 Fits in a Broader Stack
Permit3 is the permission layer. It pairs with execution layers like Eco Routes for cross-chain stablecoin settlement, with ERC-7683 cross-chain intents as a complementary settlement standard, and with ERC-4337 account abstraction for teams that want smart-account UX on top of the permit layer. Each of these standards solves a different slice of the cross-chain UX problem, and Permit3 specifically handles the permission slice.
FAQ
Is Permit3 deployed on all chains Permit2 is on?
Permit3 is deployed at 0xec00030c0000245e27d1521cc2ee88f071c2ae34 on every chain Eco supports today. The deterministic ERC-2470 Singleton Factory makes adding new chains a one-call operation, so coverage expands as Eco's supported-chain list grows to fifteen-plus chains.
Can I accept both Permit2 and Permit3 signatures in the same spender contract?
Yes. Because Permit3 implements the full Permit2 interface, a spender contract that accepts a Permit2 signature will verify and execute a Permit2-formatted signature submitted to the Permit3 address. Cross-chain Permit3 signatures use a different entry point but can coexist with Permit2-style signatures in the same spender.
Does Permit3 support Solana?
Permit3 is an EVM protocol. The Merkle proof and EIP-712 primitives are Ethereum-native. Eco's broader stack supports Solana via Eco Routes, but the Permit3 contract itself deploys on EVM chains only. For Solana flows, teams use Routes' intent model for the transfer and handle SPL token approvals through Solana's native mechanisms.
How does Permit3 handle signature replay?
Each Permit3 signature encodes a deadline, a salt-based nonce, and a Merkle root committing to the full permission set. Once a permit is executed on a given chain, the nonce for that (signer, salt) pair is consumed and cannot be replayed. Replay across chains is handled by the per-leaf scoping in the Merkle structure.
Is the Permit3 contract upgradeable?
No. The Permit3 contract deployed at the canonical address is non-upgradeable by design. Upgrades ship as new contract deployments with distinct addresses, and the signing domain makes the contract address part of the signature scope, so permits cannot accidentally target a future version.