Wintermute Warning: EIP-7702 in the Pectra upgrade is being maliciously exploited, which may lead to users being subjected to automated attacks.

On June 2, TheBlock reported that Wintermute recently issued a warning that the Ethereum Pectra upgrade could lead to automated attacks on users. The EIP-7702 feature (Account Abstraction Improvement) in Ethereum’s Pectra upgrade is being maliciously abused, with over 80% of the authorization being used for automated attacks. Blockchain security firm Scam Sniffer recently observed that a user lost nearly $150,000 in a phishing attack that deployed a copy-and-paste contract called “CrimeEnjoyor” that automatically wiped a wallet with a leaked private key. EIP-7702 was proposed by Ethereum founder Vitalik Buterin to enhance the user experience by temporarily equipping wallets with smart contract functions, including batch processing of multiple transactions, sponsoring gas fees, using biometrics/social authentication, setting a single transaction limit, and more. According to Wintermute’s Dune dashboard, the vast majority of EIP-7702 authorizations go to functionally identical malicious contracts. Security expert Taylor Monahan notes that EIP-7702 makes emptying addresses “less expensive and less laborious.” Wintermute commented, "It’s both hilarious and brutal, and the same copied bytecode makes up the majority of the EIP-7702 license. BlockBeats previously reported that SlowMist founder Yu Sine said that the biggest users of Ethereum’s new mechanism EIP-7702 are coin thieves (not phishing organizations). EIP-7702 allows the automatic transfer of funds from wallets with leaked private keys or mnemonic phrases through authorization, with more than 97% of EIP-7702 delegations pointing to stolen contracts.