Buy Crypto
Pay with
USD
USD
Buy & Sell
Hot
Supports Visa, Mastercard, SEPA & more
P2P
0 Fees
Flexible trading, zero fees
Gate Card
Use your crypto for payments worldwide
Markets
Trade
Basic
Advanced
Futures
Futures
Access hundreds of perpetual contracts
TradFi
Gold
One platform for global traditional assets
Options
Hot
Trade European-style vanilla options
Unified Account
Maximize your capital efficiency
Demo Trading
Introduction to Futures Trading
Learn the basics of futures trading
Futures Events
Join events to earn rewards
Demo Trading
Use virtual funds to practice risk-free trading
Earn
Launch
CandyDrop
Collect candies to earn airdrops
Launchpool
Quick staking, earn potential new tokens
HODLer Airdrop
Hold GT and get massive airdrops for free
Pre-IPOs
Unlock full access to global stock IPOs
Alpha Points
Trade on-chain assets and earn airdrops
Futures Points
Earn futures points and claim airdrop rewards
Investment
Square
Square
Post, share, and explore crypto trends
Live
moments live
Live crypto market analysis
Chat
Chat with crypto traders
News
What is happening in crypto
flower_head
More
Promotions
AI
Others
TradFi
WCTC S8
Rewards
Square
Latest
Hot
News
Profile

EIP-7702 vulnerability exploited, attacker siphons off 95 ETH into a mixer

SignatureVerifier
robot
Abstract generation in progress

【BitPush】Just reported a contract security incident. An attacker exploited an uninitialized EIP-7702 delegate contract vulnerability, successfully gaining owner permissions of the contract, and then directly withdrew all funds from the delegate address. On-chain monitoring data shows that the attacker has transferred 95 ETH (approximately $280,000) to Tornado Cash for mixing.

The key issue in this incident is the initialization flaw in the EIP-7702 delegate contract—because the contract was not properly initialized during deployment, the attacker was able to seize the owner role at a very low cost. Once controlling the owner permissions, withdrawing funds became a trivial task. After the funds were transferred to Tornado Cash, tracking them became significantly more difficult.

This serves as a reminder for developers to ensure the completeness of the initialization process when deploying delegate contracts, to prevent attackers from exploiting vulnerabilities. For ordinary users, it’s advisable to check whether new contracts have undergone security audits before interacting with them.

ETH-0.5%
View Original
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • 5
  • Repost
  • Share
Comment
Add a comment
Add a comment
RugPullAlarm
· 2025-12-28 01:38
It's the uninitialized contract causing the trouble again. It's truly astonishing that such a basic mistake still occurs in 2024. 95 ETH sent to Tornado is as if it never existed; on-chain data shows the fund flow has completely broken off, which is the most heartbreaking part. Developers really should reflect—if you can't even understand initialization, how dare you launch?
View OriginalReply0
Web3ExplorerLin
· 2025-12-25 04:15
hypothesis: the uninitialized state pattern here basically mirrors the ancient city gates left unguarded... except the consequences are measured in eth rather than gold. brilliant execution by the attacker, tbh—found the one thread nobody pulled before deployment and just... yanked it. tornado cash cleanup is *chef's kiss* operational security theater at its finest
Reply0
PhantomMiner
· 2025-12-25 04:09
Is this another case of poor initialization? Developers need to learn their lesson this time...
View OriginalReply0
RooftopReserver
· 2025-12-25 03:55
Once again, the initialization wasn't done properly. These developers really need to be more careful. 95 ETH is gone just like that, and once it's in Tornado Cash, it's even harder to recover.
View OriginalReply0
ChainComedian
· 2025-12-25 03:48
Once again, the initialization wasn't done properly. These developers are really... 95 ETH just disappeared like that, and with Tornado, it's even harder to track. I’ve always said that the delegation mode needs to be handled with caution, but still, someone ended up crashing.
View OriginalReply0

  • Pin

Sitemap