Ethereum's EIP-7702 Update Exploited for 12,000 Suspicious Transactions

Ethereum’s Pectra update, which introduced the EIP-7702 feature, has inadvertently become a tool for malicious actors to drain funds from wallets with compromised private keys. The update, implemented on May 7, was designed to enhance wallet usability by allowing standard wallets to temporarily function like smart contracts. This enables features such as gas sponsorship, spending limits, and transaction batching. However, the feature has been rapidly adopted by malicious actors, leading to over 12,000 transactions involving suspicious contracts.

Wintermute, a blockchain security firm, reported that more than 80% of EIP-7702 delegations are being used to enable “sweeper” contracts. These automated contracts target wallets with leaked private keys and instantly transfer funds to the attacker’s wallet. A single contract, nicknamed “CrimeEnjoyor,” is responsible for the majority of these wallet-draining activities. The contract’s code is simple and widely copied, making it easy for scammers to replicate. Wintermute publicly decoded the contract’s bytecode to help wallet developers and users identify suspicious delegations, aiming to raise awareness and prompt faster community responses in flagging malicious activity.

In one incident, a user lost nearly $150,000 in a single batched transaction linked to the “Inferno Drainer” scam, a well-known toolkit used by phishing groups. Wintermute’s analysis revealed that 97% of all EIP-7702 delegations so far use nearly identical code, indicating widespread misuse of the feature. While EIP-7702’s design is not inherently flawed, experts agree that it enables faster, cheaper automated attacks once a wallet’s private key is compromised. Taylor Monahan, a well-known crypto security advocate, stressed that the core issue is ongoing private key leakage across the ecosystem.

Security researchers are urging wallet providers to clearly display delegation targets to users. Without this transparency, users may unknowingly authorize malicious contracts. Blockchain security firm SlowMist warned that phishing gangs have already adapted to exploit EIP-7702. As a result, wallet providers and users must remain vigilant. Wintermute has called on the Ethereum community to report known malicious contracts and increase visibility into delegation mechanics. Their findings suggest that stronger safeguards and more transparent wallet interfaces are now critical to user safety.

Wintermute has responded to this threat by launching a new warning system designed to alert Ethereum users about malicious contracts. This system aims to prevent devastating wallet-draining attacks and enhance overall transaction security. The firm’s Dune dashboard revealed that the script's copy-pasted bytecode has been a primary tool for these attacks, highlighting the urgent need for enhanced security measures. The impact of these attacks has been severe, with one user losing nearly $150,000 to a phishing attack enabled by the malicious script. This incident underscores the vulnerability of users' private keys, which remain a critical point of failure in the crypto ecosystem.

Security experts have emphasized the need for vigilance, stating that phishing gangs have quickly adapted to exploit the new feature. They recommended that wallet service providers support EIP-7702 transactions and prominently display the target contract during user sign-offs to reduce the risk of phishing attacks. A security expert also commented on the issue, noting that the underlying problem lies in users' inability to secure their private keys. The expert pointed out that while EIP-7702 introduces new capabilities for automated attacks, the root cause remains the same: users struggle to protect their private keys. This makes sweeping addresses more cost-efficient and less tedious for attackers.

In response to these challenges, Wintermute's new warning system aims to provide an additional layer of security for Ethereum users. By alerting users to the presence of malicious contracts, the system seeks to mitigate the risk of wallet-draining attacks and enhance the overall security of transactions on the Ethereum network. This proactive approach by Wintermute underscores the importance of continuous innovation and vigilance in the rapidly evolving world of cryptocurrency. The introduction of EIP-7702 has brought innovation to Ethereum, allowing users to delegate control of their wallets. However, along with this convenience comes an alarming vulnerability. As Wintermute highlighted, this feature has been exploited by contracts designed to automatically drain wallets when users expose their private keys. The firm’s new tool aims to illuminate these risks, improving the safety of the Ethereum ecosystem.

Blockchain security is paramount, particularly given the recent incidents where unsuspecting users have lost substantial amounts of cryptocurrency. For example, one Ethereum user suffered a loss of over $146,550 due to malicious transactions made possible through EIP-7702. With over 12,000 EIP-7702 transactions executed since its deployment, the potential for further exploitation remains a pressing concern. Wintermute asserts that enhanced transparency tools are vital to distinguishing between legitimate and harmful contracts, especially for less experienced users. Smart contracts play an essential role in the cryptocurrency landscape, offering automation and efficiency. However, the reliance on these contracts without proper verification can lead to devastating outcomes for users. CrimeEnjoyor serves as a critical countermeasure, notifying users of potentially harmful contracts. As Ethereum continues to evolve, the need for robust security measures alongside innovative features is more pressing than ever.

As the sophistication of threats increases, so does the imperative for user education. Many Ethereum users are unaware of the risks posed by EIP-7702 and similar innovations. Wintermute’s proactive approach highlights the need for continuous education and transparency within the community. By disseminating warnings and facilitating a better understanding of smart contracts, users can make informed decisions and avoid falling victim to scams. In light of the growing threats in the cryptocurrency space, especially regarding EIP-7702, Wintermute’s CrimeEnjoyor tool represents a significant step towards enhancing user security. As malicious actors become increasingly sophisticated, users must remain vigilant and informed. Embracing security innovations and educating oneself on blockchain mechanisms can substantially mitigate the risks involved in using Ethereum and other cryptocurrencies.