Ethereum's Pectra Upgrade Opens New Attack Vector for Wallet Hackers

Ethereum’s latest network upgrade, Pectra, introduced powerful new features aimed at improving scalability and smart account functionality. However, it also opened a dangerous new attack vector that could allow hackers to drain funds from user wallets using only an offchain signature. The upgrade, which went live on May 7 at epoch 364032, enables attackers to exploit a new transaction type to take control of externally owned accounts (EOAs) without requiring the user to sign an onchain transaction.
At the center of the risk is EIP-7702, a core component of the Pectra upgrade. The Ethereum Improvement Proposal introduces the SetCode transaction (type 0x04), which enables users to delegate control of their wallet to another contract simply by signing a message. If an attacker obtains this signature, they can overwrite the wallet’s code with a small proxy that forwards calls to their malicious contract. Once the code is set, the attacker can invoke that code to transfer out the account’s ETH or tokens—all without the user ever signing a normal transfer transaction.
This new transaction type introduced by Pectra allows arbitrary code to be installed on the user’s account, essentially turning their wallet into a programmable smart contract. Before Pectra, wallets could not be modified without a transaction signed directly by the user. Now, a simple offchain signature can install code that delegates complete control to an attacker’s contract. The threat is real and immediate, as any valid delegation signature is actionable from the moment Pectra was activated.
Wallets and interfaces that fail to detect or properly represent these new transaction types are most at risk. Wallet engines must clearly display delegation requests and flag any suspicious addresses. This new form of attack can be easily executed through common offchain interactions like phishing emails, fake DApps, or Discord scams. Users have to carefully validate what they are going to sign to avoid falling victim to these attacks.
Hardware wallets are no longer inherently safer. They are at the same risk as hot wallets from the perspective of signing malicious messages. Users should not sign messages they do not understand, and wallet developers should provide clear warnings when users are asked to sign a delegation message. Special caution should be taken with new delegation signature formats introduced by EIP-7702, which are not compatible with existing standards and may bypass normal wallet warnings.
EIP-7702 allows for signatures with chain_id = 0, meaning the signed message can be replayed on any Ethereum-compatible chain. This adds to the risk, as users must be aware that their signatures can be used anywhere. While multisignature wallets remain more secure under this upgrade, single-key wallets must adopt new signature parsing and red-flagging tools to prevent potential exploitation.
Alongside EIP-7702, Pectra also included EIP-7251, which raised Ethereum’s validator staking limit from 32 to 2,048 ETH, and EIP-7691, which increases the number of data blobs per block for better layer-2 scalability. These changes aim to enhance the network's performance and scalability, but they also introduce new security challenges that users and developers must navigate carefully.

Comments
No comments yet