Ethereum’s Pectra upgrade enables wallet control via offchain signature, exposing users to stealth attacks.
Transaction type 0x04 lets attackers insert proxy code if users sign phishing messages—no on-chain approval needed.
Hardware wallets now face risk from EIP-7702; malicious signatures can instantly compromise secured funds.
Ethereum Pectra upgrade has triggered serious security concerns following the activation of a new transaction type. Launched on May 7 at epoch 364032, the upgrade introduced several features to enhance scalability and smart account utility.
However, it also created an opening for attackers to drain user wallets using only an offchain signature. The update includes Ethereum Improvement Proposal 7702, which allows users to delegate wallet control through a simple message signature without requiring onchain transaction approval.
New Transaction Type Increases Attack Risk
The key vulnerability lies in transaction type 0x04, also known as SetCode. This function allows users to install new code into their externally owned accounts by signing a message.
If a malicious actor acquires such a signature, possibly through phishing schemes or deceptive dApps, they can insert a proxy contract into the wallet. This proxy enables the attacker to control and move assets without the user initiating any onchain approval.
According to Arda Usman, a Solidity contract auditor, this delegation exposes wallets to unauthorized access. Once a wallet's code is replaced, the attacker can execute operations that move ETH or tokens. The entire process is executed without a standard transaction, making it harder for users to detect any suspicious activity.
Security Experts Warn About Expanded Vulnerabilities
Yehor Rudytsia, an onchain researcher with Hacken, emphasized that wallets can now behave like programmable smart contracts. This transformation is triggered only by an offchain signature. He stated that prior to the upgrade, such modifications required direct user authorization through a transaction. Post-upgrade, attackers can install arbitrary code once the user unknowingly signs a message.
Rudytsia further warned that wallets not updated to recognize this new transaction type remain especially vulnerable. Many current wallet engines do not adequately flag these delegation messages. He suggested that wallet interfaces should display clearer warnings and analyze the signed content carefully.
Delegation messages under EIP-7702 differ significantly from existing standards and often bypass typical security alerts.
Increased Exposure for Hardware Wallets
The update also affects hardware wallets, which were previously considered more secure. Rudytsia noted that these wallets now face similar risks as hot wallets. If a user signs a malicious message using a hardware wallet, their funds can be instantly compromised.
He added that users must remain cautious about what they agree to sign, particularly if the message includes their account nonce, a clear sign that it may affect account control.
The Pectra upgrade includes other technical improvements, such as EIP-7251, which raises the Ethereum validator staking limit to 2,048 ETH, and EIP-7691, which enhances Layer-2 scalability.
Despite these advancements, the introduction of offchain delegation has shifted the security landscape significantly. Developers and users must now adapt quickly to mitigate the new threats posed by this upgrade.
