cyotee/permit2-nonce-management
.claude/skills/permit2-nonce-management/SKILL.md
Bitmap nonce patterns for Permit2 signature replay protection. Use when generating nonces for SignatureTransfer permits.
tools
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add cyotee/crane permit2-nonce-managementInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 10:08 PM4.9s1 file scanned
SKILL.md
- name:
- permit2-nonce-management
- description:
- Bitmap nonce patterns for Permit2 signature replay protection. Use when generating nonces for SignatureTransfer permits.
Permit2 Nonce Management
Permit2 uses a bitmap nonce system for replay protection (not sequential).
Understanding Bitmap Nonces
- 256 nonces per "word" (bitmap)
- Nonce =
(wordIndex << 8) | bitIndex - Must verify nonce bit is unused before signing
Simple Nonce Patterns
Pattern 1: Timestamp-based (Recommended)
// Simple, low collision risk for user-initiated flows
const nonce = BigInt(Date.now()) << 8n
// Shift by 8 = room for 256 retries within same timestamp second
Pattern 2: Sequential with Retry
let nonce = nextNonce++
try {
signature = await signTypedData(...)
} catch {
nonce = nextNonce++
}
Pattern 3: Query Bitmap (Most Robust)
async function getFreeNonce(owner: string): Promise<bigint> {
for (let wordPos = 0; wordPos < 100; wordPos++) {
const bitmap = await publicClient.readContract({
address: PERMIT2_ADDRESS,
abi: [{
inputs: [
{ name: 'owner', type: 'address' },
{ name: 'wordPos', type: 'uint256' }
],
name: 'nonceBitmap',
outputs: [{ name: 'bitmap', type: 'uint256' }],
stateMutability: 'view',
type: 'function'
}],
functionName: 'nonceBitmap',
args: [owner, BigInt(wordPos)]
})
if (bitmap !== MaxUint256) {
for (let bitPos = 0; bitPos < 256; bitPos++) {
if ((bitmap >> BigInt(bitPos)) & 1n === 0n) {
return (BigInt(wordPos) << 8n) | BigInt(bitPos)
}
}
}
}
throw new Error('No free nonce')
}
Usage with Signature Transfer
const nonce = BigInt(Date.now()) << 8n
const permit: SignatureTransfer.PermitTransferFrom = {
permitted: { token: tokenAddress, amount: amount },
nonce,
deadline: BigInt(Math.floor(Date.now() / 1000) + 1800n)
}
Best Practices
- For swap UX: Use timestamp-based - simple, works well
- For high-frequency: Query bitmap - ensures uniqueness
- Include in witness: Bind nonce to action to prevent cross-function replay
- Handle expiration: 30 min typical (1800 seconds)
Related Skills
cyotee/web-design-guidelines
development
VerifiedTrustedCommunity
Review UI code for Web Interface Guidelines compliance. Use when asked to "review my UI", "check accessibility", "audit design", "review UX", or "check my site against best practices".
SKILL.mdUpdated Apr 17, 2026
cyotee/wagmi-write-contract
documentation
VerifiedTrustedCommunity
Write to contracts and send transactions. Use when executing state-changing contract functions.
SKILL.mdUpdated Apr 17, 2026
cyotee/wagmi-transports
development
VerifiedTrustedCommunity
HTTP and WebSocket transports for blockchain connectivity. Use when configuring network connections.
SKILL.mdUpdated Apr 17, 2026
cyotee/wagmi-read-contract
data-ai
VerifiedTrustedCommunity
Read contract data with type-safe ABI. Use when querying smart contract view/pure functions.
SKILL.mdUpdated Apr 17, 2026