Urgent Alert: Ethereum’s EIP-7702 Pectra Upgrade Exploited by Phishing Scammers

Ethereum’s Pectra upgrade, launched on May 7, introduced EIP-7702, allowing Externally Owned Accounts (EOAs, accounts controlled directly by private keys) to temporarily transform into smart contract wallets. However, this innovation has quickly become a target for phishing scammers, posing serious risks to users’ funds.

• EIP-7702 enables EOAs to act as smart contract wallets
• Phishing scam exploits EIP-7702, redirecting ETH to scammers
• Hardware wallets now vulnerable, multisignature wallets safer

EIP-7702 promised to make Ethereum more user-friendly by granting EOAs the ability to briefly enjoy the benefits of smart contract wallets. But this feature has become a double-edged sword, opening up new avenues for scams. GoPlus Security has identified a phishing scam exploiting EIP-7702, with over 10,000 addresses affected. A malicious delegator address (0x930fcc37d6042c79211ee18a02857cb1fd7f0d0b) tricks users into authorizing a transaction that redirects their ETH to a scammer’s wallet (0x000085bad). Phishing scams, where fraudsters trick people into revealing sensitive information or authorizing malicious transactions, are a persistent threat in the crypto world. In this case, the scam takes advantage of the new delegation mechanics introduced by EIP-7702.

To safeguard against these threats, GoPlus Security recommends trusting only wallet interfaces for EIP-7702 features. Be wary of any external links or emails asking for upgrades—they’re likely scams. It’s vital to verify contract source codes, steer clear of non-open-source contracts, and thoroughly check authorization addresses before signing anything.

Perhaps the most alarming revelation is that hardware wallets, previously considered the fortress of crypto security, are now equally vulnerable to these new risks. Yehor Rudytsia, an on-chain researcher at Hacken, warns:

“If done, all the funds are gone in a moment.”

Rudytsia’s stark reminder underscores the importance of user vigilance. The new delegation signature formats introduced by EIP-7702 aren’t compatible with existing standards like EIP-191 or EIP-712, often appearing as simple 32-byte hashes that can bypass normal wallet warnings. As security expert Usman points out:

“If a message includes your account nonce, it’s probably affecting your account directly.”

The chain_id = 0 vulnerability adds another layer of risk, allowing these signatures to be replayed across any Ethereum-compatible chain, making them a potential threat across different networks.

In the face of these challenges, multisignature wallets stand out as a safer choice under the Pectra upgrade. By requiring multiple signers for transactions, they add an extra layer of security against the risks introduced by EIP-7702. Multisignature wallets require approval from several private keys before a transaction can be executed, making unauthorized transactions much harder to pull off.

Despite these risks, the future of smart accounts on Ethereum remains promising. Leading wallets like MetaMask have already integrated EIP-7702 safely, while others such as Ambire and Trust Wallet have issued patches or warnings to mitigate the risks. The proactive stance of wallet providers is crucial in protecting users and ensuring the secure adoption of new features.

While EIP-7702 represents a step forward in enhancing Ethereum’s usability, the rapid pace of innovation must be matched with robust security measures and continuous user education. As the crypto ecosystem evolves, the challenge lies in balancing the potential of new features with the need to keep the bad actors at bay. The line between innovation and security is indeed a tightrope, but with clear communication from developers and security experts, users can navigate it safely.

From a Bitcoin maximalist perspective, one might argue that Bitcoin’s straightforward design and focus on security over complexity offer a more secure alternative. However, Ethereum’s ecosystem continues to push the boundaries of what’s possible in blockchain technology, and innovations like EIP-7702, despite their risks, pave the way for a more versatile and user-friendly future.

Key Takeaways and Questions

• What is the Pectra upgrade and when was it activated?

  The Pectra upgrade is an Ethereum upgrade that was activated on May 7, introducing features like EIP-7702.

• What is EIP-7702 and how does it affect Ethereum users?

  EIP-7702 allows Externally Owned Accounts (EOAs) to temporarily act as smart contract wallets, enhancing user experience but also exposing them to new security risks, such as phishing scams.

• What are the main security risks associated with EIP-7702?

  The main security risks include phishing scams where ETH is redirected to scammers’ wallets after users authorize malicious delegators, and vulnerabilities in hardware wallets due to the signing of malicious messages.

• What safety measures are recommended to users of EIP-7702?

  Users should only trust wallet interfaces for EIP-7702 features, avoid external links or emails asking for upgrades, verify contract source codes, be cautious of non-open-source contracts, and carefully check authorization addresses.

• How does the Pectra upgrade affect the security of hardware wallets?

  The Pectra upgrade has increased the risk for hardware wallets, making them as vulnerable as hot wallets to malicious message signing, which can lead to the loss of funds.

• Why are multisignature wallets considered safer under the Pectra upgrade?

  Multisignature wallets are considered safer because they require multiple signers for transactions, providing an additional layer of security against the new risks introduced by EIP-7702.

• What is the significance of the delegation signature formats introduced by EIP-7702?

  The new delegation signature formats are not compatible with existing standards like EIP-191 or EIP-712, and often appear as simple 32-byte hashes that can bypass normal wallet warnings, increasing the risk of exploitation.

• What does the chain_id = 0 vulnerability mean for EIP-7702 signatures?

  The chain_id = 0 vulnerability means that EIP-7702 signatures can be replayed on any Ethereum-compatible chain, making them usable across different networks and increasing the potential for misuse.