Ethereum’s Pectra upgrade is a “hacker’s delight”, Wintermute warns: EIP-7702 enables automated attacks on a large number of contract deployments

Ethereum EIP-7702 has been maliciously abused, and Wintermute revealed that hackers used it to automatically empty customer wallets, increasing security risks.
(Previous summary: Vitalik’s new proposal for Ethereum expansion: reduce node requirements with increased Gas Limit and create some stateless nodes)
(Background supplement: Vitalik disclosed Ethereum Rollup transition mathematical model: moving towards “complete decentralization” in three stages)

EIP-7702 in Ethereum’s recent Pectra upgrade Account abstraction functions such as these were originally intended to improve user experience, but security companies and traders have warned that malicious attackers are currently taking advantage of them on a large scale. Cryptocurrency trading company Wintermute issued a warning stating that this feature is being used to automatically empty user wallets, posing a serious threat to user assets.

EIP-7702 design has been abused and hackers automatically stole funds

The Ethereum Pectra upgrade was launched on May 7, 2025, in which EIP-7702 allows externally owned accounts (EOA) to temporarily obtain smart contract functions. However, according to T, Wintermute warned on June 1 that more than 80% of EIP-7702 delegated authorizations were locked in the malicious script "CrimeEnjoyor".

An attacker tricks users into signing an off-chain malicious delegation, which automatically transfers all funds in the wallet. Scam Sniffer report cases indicate that users have lost nearly $150,000 due to such phishing attacks, with more than 100,000 malicious contracts and more than 1 million wallets involved.

Experts urge users to be wary of the industry’s urgent push for protection mechanisms

Blockchain security company SlowMist also pointed out that if `chain_id = 0` is included in the signature, it may trigger cross-chain replay attacks and expand the scope of risks. Security expert Taylor Monahan told reporters:

"Although EIP-7702 has introduced a new attack vector, the fundamental problem still lies in the protection of users' private keys."

Wintermute has launched a warning system to help users identify risks, and together with SlowMist recommended that wallet service providers should prominently prompt the delegation contract target. According to Mitrade analysis, wallets and decentralized applications (dApps) are actively integrating new warning mechanisms.

In summary, although the Ethereum EIP-7702 function brings convenience, it also opens the door to automated attacks. Users must be vigilant, only authorize through official channels, and strengthen private key management. The industry is working hard to improve security measures, but users’ own careful operations are still the key line of defense for asset security.