Ethereum's EIP-7702 Feature Exploited for Automated Cryptocurrency Theft

Ethereum’s EIP-7702, a recent enhancement aimed at improving the functionality of smart wallets, is now under threat as hackers exploit its features to automate the theft of cryptocurrency. This alarming trend underscores the swift adaptation of cybercriminals to new technologies, leveraging them for illicit activities. The EIP-7702 feature allows externally owned accounts (EOAs) to function as smart contract wallets, enabling features like transaction batching and wallet recovery. However, this upgrade also provides malicious actors with opportunities to expedite the extraction of funds from compromised wallets, turning a useful technology into a tool for crime.

Prior to EIP-7702, transferring Ethereum manually from compromised wallets required significant time and effort. Now, attackers can authorize contracts that promptly forward any incoming Ethereum to their own addresses, effectively automating their heist operations. This implementation drastically reduces the transaction time required for withdrawn funds, allowing criminals to capitalize on any incoming ETH instantly. Yu Xian, founder of the cybersecurity firm SlowMist, emphasized that these organized theft groups are not typical phishing operations, noting that the automated nature of EIP-7702 allows for large-scale exploits.

Research indicates that over 100,000 smart contracts are now associated with these malicious practices, raising significant security concerns. A recent study shows that a staggering 97% of wallet delegations involving EIP-7702 have been utilized for deploying contracts specifically designed to drain Ethereum from unsuspecting users. Out of approximately 190,000 delegated contracts analyzed, more than 105,000 are linked to malicious activities. Koffi, a senior analyst at Base Network, revealed that over a million wallets interacted with questionable contracts recently, illustrating the scale of the issue.

Importantly, Koffi clarified that while these wallets may be exploited, they weren’t compromised via EIP-7702; the attackers simply leveraged already exposed private keys. “These wallets were not hacked using 7702. The hacker obtained the private keys without doing anything related to 7702. Since they have the keys, they could transfer money out of these wallets by making regular transactions from each one,” Koffi stated. Despite the extensive operations facilitated by these features, data suggests that the attackers have not yet turned a profit, indicating either delays in execution or challenges in successfully retrieving funds.

A researcher from Wintermute reported that approximately 2.88 ETH has been allocated to authorize more than 79,000 addresses involved in this illicit activity. Notably, one address was accountable for nearly 52,000 authorizations, but the target address has not received any ETH thus far, further complicating the analysis of these attacks. “Although the intent behind EIP-7702 is positive, its misuse highlights the need for enhanced security measures,” stated Rahul Rumalla, Chief Product Officer at Safe.

As Ethereum continues to evolve with innovative features like EIP-7702, the rapid adaptation by malicious entities highlights the urgent need for enhanced security and monitoring. Users are advised to remain vigilant and consider implementing additional protective measures to safeguard their investments from potential breaches. The new mechanism EIP-7702 is primarily leveraged by coin-stealing entities, facilitating rapid transfers from wallets with compromised private keys or mnemonics. This alarming trend indicates that out of approximately 190,000 delegated contracts analyzed, more than 105,000 are linked to malicious activities.