👀👀Ethereum Pectra Update Allows Hackers to Drain Wallets with Just an Offchain Signature 😱😱😱😡
The latest Ethereum update introduces offchain wallet delegation through EIP-7702, allowing attackers to drain funds using only a signed message.
The latest update to the Ethereum network, Pectra, introduced new and powerful features aimed at enhancing scalability and functionality of smart accounts, but also opened a new dangerous attack vector that could allow hackers to empty user wallets using just an offchain signature.
With the Pectra update, which was activated on May 7 at epoch 364032, attackers can exploit a new type of transaction to take control of externally owned accounts (EOAs) without requiring the user to sign an onchain transaction.
Arda Usman, smart contract auditor at Solidity, confirmed to Cointelegraph that "it is possible for an attacker to empty the funds of an EOA using only a signed offchain message (without an onchain transaction signed directly by the user)."
At the heart of the risk is EIP-7702, a key component of the Pectra update. The Ethereum Improvement Proposal (EIP) introduces the SetCode transaction (type 0x04), which allows users to delegate control of their wallet to another contract simply by signing a message.
If an attacker obtains this signature, for example, through a phishing site, they can overwrite the wallet code with a small proxy that redirects calls to their malicious contract.
"Once the code is set," Usman explained, "the attacker can invoke that code to transfer ETH or tokens from the account, all without the user ever signing a normal transfer transaction."
#ETHCrossed2500
#StrategyTrade
#AltcoinSeasonLoading
$BTC
$ETH
$XRP
The latest Ethereum update introduces offchain wallet delegation through EIP-7702, allowing attackers to drain funds using only a signed message.
The latest update to the Ethereum network, Pectra, introduced new and powerful features aimed at enhancing scalability and functionality of smart accounts, but also opened a new dangerous attack vector that could allow hackers to empty user wallets using just an offchain signature.
With the Pectra update, which was activated on May 7 at epoch 364032, attackers can exploit a new type of transaction to take control of externally owned accounts (EOAs) without requiring the user to sign an onchain transaction.
Arda Usman, smart contract auditor at Solidity, confirmed to Cointelegraph that "it is possible for an attacker to empty the funds of an EOA using only a signed offchain message (without an onchain transaction signed directly by the user)."
At the heart of the risk is EIP-7702, a key component of the Pectra update. The Ethereum Improvement Proposal (EIP) introduces the SetCode transaction (type 0x04), which allows users to delegate control of their wallet to another contract simply by signing a message.
If an attacker obtains this signature, for example, through a phishing site, they can overwrite the wallet code with a small proxy that redirects calls to their malicious contract.
"Once the code is set," Usman explained, "the attacker can invoke that code to transfer ETH or tokens from the account, all without the user ever signing a normal transfer transaction."
#ETHCrossed2500
#StrategyTrade
#AltcoinSeasonLoading
$BTC
$ETH
$XRP
Disclaimer: Includes third-party opinions. No financial advice. May include sponsored content. See T&Cs.
ETH
2,593.33
-3.08%
