Wintermute warns Pectra upgrade leaves Ethereum users at risk of automated attacks
Quick Take An update included in Ethereum’s recent “Pectra” upgrade, intended to improve ease-of-use for users, has mostly been used by automated “sweeper” attacks to drain unsuspecting wallets, according to an analysis by Wintermute. Over 80% of EIP-7702 delegations, one function introduced in the upgrade, were devoted to a single malicious script, Wintermute found. One user lost nearly $150,000 to a phishing attack enabled by the script, according to blockchain security firm Scam Sniffer.
A recent Ethereum upgrade has mostly been used by malicious attackers seeking to drain wallets, according to an analysis by crypto trading firm Wintermute.
EIP-7702, an account-abstraction upgrade included in Ethereum's recent "Pectra" hard fork , is designed to improve ease of user experience by allowing wallets to temporarily behave like smart contracts, batching multiple actions, sponsoring gas fees, using passkey or social-authentication, or implementing spending limits in a single transaction. EIP-7702 was initially proposed and championed by Ethereum co-founder Vitalik Buterin.
However, over 80% of EIP-7702 delegations were authorized to multiple contracts with copy-pasted versions of the same basic code, which automatically "sweeps" wallets with leaked keys and sends the contents to the attacker who deployed the contract, according to Wintermute's Dune dashboard . Wintermute nicknamed the contract "CrimeEnjoyor."
"The CrimeEnjoyor contract is short, simple, and widely reused," Wintermute wrote on X. "This one copy-pasted bytecode now accounts for the majority of all EIP-7702 delegations. It’s funny, bleak, and fascinating at the same time."
Blockchain security firm Scam Sniffer recently identified a wallet that lost nearly $150,000 through a malicious batched transaction with links to the Inferno Drainer scam-as-a-service, a longtime nuisance in the crypto security space.
Security firm SlowMist also detailed the risks of EIP-7702 adoption in a recent analysis . "Wallet service providers should quickly support EIP-7702 transactions and, when users sign delegations, should prominently display the target contract to reduce the risk of phishing attacks," SlowMist wrote.
"As we predicted, the phishing gangs have caught up," wrote SlowMist founder Yu Xian on X . "Everyone should be vigilant, be careful that the assets in your wallet will be taken away."
Though EIP-7702 introduces a new way for automated attacks, security expert Taylor Monahan said the key issue was the underlying compromise of users' private keys.
"It's not actually a 7702 issue, its the same issue crypto has had since day one: end users struggle to secure their private keys," Monahan told the Block. "7702 just unlocks a bunch of cool abilities that make sweeping addresses more cost efficient and less tedious."
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Interview with VanEck Investment Manager: From an Institutional Perspective, Should You Buy BTC Now?
The support levels near $78,000 and $70,000 present a good entry opportunity.
Macroeconomic Report: How Trump, the Federal Reserve, and Trade Sparked the Biggest Market Volatility in History
The deliberate devaluation of the US dollar, combined with extreme cross-border imbalances and excessive valuations, is brewing a volatility event.
Vitalik donated 256 ETH to two chat apps you've never heard of—what exactly is he betting on?
He made it clear: neither of these two applications is perfect, and there is still a long way to go to achieve true user experience and security.
Prediction Market Supercycle
Trending news
MoreCrypto prices
More
