Wintermute warns Pectra upgrade leaves Ethereum users at risk of automated attacks A recent Ethereum upgrade has mostly been used by malicious attackers seeking to drain wallets, according to an analysis by crypto trading firm Wintermute. EIP-7702, an account-abstraction upgrade included in Ethereum's recent "Pectra" hard fork, is designed to improve ease of user experience by allowing wallets to temporarily behave like smart contracts, batching multiple actions, sponsoring gas fees, using passkey or social-authentication, or implementing spending limits in a single transaction. EIP-7702 was initially proposed and championed by Ethereum co-founder Vitalik Buterin. However, over 80% of EIP-7702 delegations were authorized to multiple contracts with copy-pasted versions of the same basic code, which automatically "sweeps" wallets with leaked keys and sends the contents to the attacker who deployed the contract, according to Wintermute's Dune dashboard. Wintermute nicknamed the contract "CrimeEnjoyor." "The CrimeEnjoyor contract is short, simple, and widely reused," Wintermute wrote on X. "This one copy-pasted bytecode now accounts for the majority of all EIP-7702 delegations. It’s funny, bleak, and fascinating at the same time." Blockchain security firm Scam Sniffer recently identified a wallet that lost nearly $150,000 through a malicious batched transaction with links to the Inferno Drainer scam-as-a-service, a longtime nuisance in the crypto security space. Security firm SlowMist also detailed the risks of EIP-7702 adoption in a recent analysis. "Wallet service providers should quickly support EIP-7702 transactions and, when users sign delegations, should prominently display the target contract to reduce the risk of phishing attacks," SlowMist wrote. "As we predicted, the phishing gangs have caught up," wrote SlowMist founder Yu Xian on X. "Everyone should be vigilant, be careful that the assets in your wallet will be taken away." Though EIP-7702 introduces a new way for automated attacks, security expert Taylor Monahan said the key issue was the underlying compromise of users' private keys. "It's not actually a 7702 issue, its the same issue crypto has had since day one: end users struggle to secure their private keys," Monahan told the Block. "7702 just unlocks a bunch of cool abilities that make sweeping addresses more cost efficient and less tedious."
wintermute-warns-pectra-upgrade-leaves-ethereum-users-at-risk-of-automated-attacks-a-recent-ethereum-upgrade-has-mostly-been-used-by-malicious-attackers-seeking-to-drain-wallets-according-to-an-analy

Wintermute warns Pectra upgrade leaves Ethereum users at risk of automated attacks

A recent Ethereum upgrade has mostly been used by malicious attackers seeking to drain wallets, according to an analysis by crypto trading firm Wintermute.

EIP-7702, an account-abstraction upgrade included in Ethereum's recent "Pectra" hard fork, is designed to improve ease of user experience by allowing wallets to temporarily behave like smart contracts, batching multiple actions, sponsoring gas fees, using passkey or social-authentication, or implementing spending limits in a single transaction. EIP-7702 was initially proposed and championed by Ethereum co-founder Vitalik Buterin.

However, over 80% of EIP-7702 delegations were authorized to multiple contracts with copy-pasted versions of the same basic code, which automatically "sweeps" wallets with leaked keys and sends the contents to the attacker who deployed the contract, according to Wintermute's Dune dashboard. Wintermute nicknamed the contract "CrimeEnjoyor."

"The CrimeEnjoyor contract is short, simple, and widely reused," Wintermute wrote on X. "This one copy-pasted bytecode now accounts for the majority of all EIP-7702 delegations. It’s funny, bleak, and fascinating at the same time."

Blockchain security firm Scam Sniffer recently identified a wallet that lost nearly $150,000 through a malicious batched transaction with links to the Inferno Drainer scam-as-a-service, a longtime nuisance in the crypto security space.

Security firm SlowMist also detailed the risks of EIP-7702 adoption in a recent analysis. "Wallet service providers should quickly support EIP-7702 transactions and, when users sign delegations, should prominently display the target contract to reduce the risk of phishing attacks," SlowMist wrote.

"As we predicted, the phishing gangs have caught up," wrote SlowMist founder Yu Xian on X. "Everyone should be vigilant, be careful that the assets in your wallet will be taken away."

Though EIP-7702 introduces a new way for automated attacks, security expert Taylor Monahan said the key issue was the underlying compromise of users' private keys.

"It's not actually a 7702 issue, its the same issue crypto has had since day one: end users struggle to secure their private keys," Monahan told the Block. "7702 just unlocks a bunch of cool abilities that make sweeping addresses more cost efficient and less tedious."