WLFI Tokenholders Trapped by EIP-7702 Phishing Ploy

Generated by AI AgentCoin World
Tuesday, Sep 2, 2025 7:40 am ET2min read
ETH
--
Aime RobotAime Summary

- Hackers exploit EIP-7702 to steal WLFI tokens by pre-planting malicious contracts in wallets after phishing private keys.

- The Ethereum upgrade enables EOAs to mimic smart contract wallets, allowing automated asset drains once tokens are deposited.

- WLFI users report partial thefts (e.g., 80% remaining at risk) and heightened risks from token drop mechanics requiring shared wallets.

- Scammers create fake projects and phishing clones; WLFI warns users to verify communications and avoid direct messages.

- Experts urge canceling EIP-7702 delegates and relocating tokens to secure wallets amid rising exploitation of the vulnerability.

Hackers are leveraging the EIP-7702 exploit to drain WLFI token wallets, as highlighted by Yu Xian, founder of SlowMist. The EIP-7702 upgrade, introduced with Ethereum’s Pectra update in May, allows external accounts to behave like smart contract wallets, enabling features such as batch transactions and delegated execution. However, this functionality has been abused by cybercriminals to pre-embed malicious contracts in victim wallets. Once a user deposits tokens, the hacker quickly seizes the assets, typically affecting WLFI tokenholders who have experienced private key leaks [1].

World Liberty Financial (WLFI), a token backed by Donald Trump, launched with a total supply of 24.66 billion tokens. The attack mechanism involves phishing or social engineering to obtain private keys, followed by the pre-planting of a malicious smart contract that takes control of the user’s tokens as soon as they are deposited. Xian noted that this method has already been used to steal WLFI tokens from multiple wallet addresses, emphasizing the importance of securing private keys and avoiding suspicious links or communications [1].

In a reported incident on August 31, a user attempted to transfer Ether into their wallet, only to have their WLFI tokens stolen shortly after. Xian confirmed this as a classic EIP-7702 phishing exploit, where the attacker had already embedded the malicious contract in the wallet address. He explained that any attempt to transfer remaining tokens—such as those stored in a Lockbox contract—would trigger an automatic transfer of gas fees to the attacker, further complicating recovery [1].

WLFI forums have seen growing concern among users who have experienced similar thefts. One user, under the handle hakanemiratlas, shared that they managed to transfer only 20% of their WLFI tokens to a new wallet, with the remaining 80% still at risk. The user described the urgency of the situation, noting that even the transfer of ETH for gas fees felt dangerous, as it could also be intercepted. Another user, Anton, highlighted that many users are at risk due to the implementation of the WLFI token drop, which requires the same wallet for both the whitelist and the presale [1].

Scammers have also taken advantage of the WLFI token launch by creating bundled clone smart contracts that mimic legitimate projects. The WLFI team has issued warnings to users, emphasizing that they do not communicate via direct messages and that all official support is conducted through email. Users are advised to verify the authenticity of any communication before responding, as phishing attempts are increasingly sophisticated [1].

EIP-7702, while designed to improve user experience by allowing EOAs to mimic smart contract wallets, has inadvertently created a vector for abuse. The ability to delegate execution rights and perform batch transactions is now being weaponized to automate token sweeps before users can take protective measures. Xian recommended canceling or replacing compromised EIP-7702 delegates and moving tokens from affected wallets to mitigate the risk. As WLFI continues to gain attention, the security landscape remains challenging, with users urged to remain vigilant against evolving threats [1].

Source: [1] Hackers are using the 'classic EIP-7702' exploit to snatch ... (https://cointelegraph.com/news/wlfi-token-holders-falling-prey-classic-wallet-exploit)