According to BlockBeats, Wintermute has issued a warning regarding the misuse of the EIP-7702 feature in Ethereum's Pectra upgrade. This account abstraction improvement is reportedly being exploited, with over 80% of authorizations used for automated attacks. Blockchain security firm Scam Sniffer recently detected a phishing attack resulting in a loss of nearly $150,000 for a user. The attacker deployed a contract named 'CrimeEnjoyor' to automatically empty wallets with leaked private keys.
EIP-7702, proposed by Ethereum founder Vitalik Buterin, aims to enhance user experience by temporarily enabling wallets with smart contract capabilities. This includes batch processing multiple transactions, sponsoring gas fees, using biometric/social verification, and setting single transaction limits.
Wintermute's Dune dashboard indicates that the majority of EIP-7702 authorizations are directed towards malicious contracts with similar functions. Security expert Taylor Monahan highlighted that EIP-7702 makes it cheaper and easier to empty addresses. Wintermute commented that it is both absurd and brutal that the same copied bytecode occupies most of the EIP-7702 authorizations.
BlockBeats previously reported that SlowMist founder Yu Jian stated that the primary users of Ethereum's new EIP-7702 mechanism are coin-stealing groups rather than phishing organizations. EIP-7702 allows for the automatic transfer of funds from wallets with leaked private keys or mnemonic phrases, with over 97% of EIP-7702 delegations pointing to coin-stealing contracts.
