Ethereum News Today: EIP-7702’s Power Turned Weapon in Million-Dollar Phishing Scandal

A recent phishing attack exploiting Ethereum’s EIP-7702 mechanism has left an investor with a staggering $1.54 million loss, raising significant concerns about the security implications of the protocol upgrade. The attack, which involved a batch of malicious transactions disguised as routine Uniswap swaps, underscores the risks tied to the implementation of EIP-7702, a feature introduced as part of the May Pectra hard fork. The upgrade was designed to allow externally owned accounts (EOAs) to behave like temporary smart contracts, enabling users to batch multiple transactions into a single operation. However, it has also become a vector for exploitation by cybercriminals who have weaponized its capabilities to drain digital assets from unsuspecting users [1].

Security experts, including teams at Wintermute, had previously warned that EIP-7702 delegations were being exploited at scale, with over 90% of such delegations reportedly linked to malicious contracts. These contracts, often simple copy-paste scripts, scan for vulnerable wallets and automatically siphon assets upon approval. The phishing scam that drained $1.54 million involved a fake decentralized finance (DeFi) interface that mimicked legitimate platforms, tricking the victim into authorizing what appeared to be a routine transaction. In reality, the approval unlocked hidden transfers, allowing attackers to drain the wallet almost instantly [2].

The vulnerabilities introduced by EIP-7702 have been highlighted in multiple incidents. Earlier in the summer, another investor lost $1 million in tokens and NFTs through a similar scheme. In June, a separate victim lost $66,000. These cases demonstrate a growing trend in phishing attacks that leverage the new Ethereum standard. The common thread across these incidents is the use of deceptive interfaces designed to mimic trusted DeFi platforms. Once users approve the transaction, attackers gain access to the wallet’s contents, often without the user realizing the scope of the permissions granted [3].

Security researchers and anti-fraud services, including Scam Sniffer, have urged users to exercise heightened caution when approving batch transactions. Key red flags include requests for unlimited token approvals, contract upgrades under EIP-7702, and transaction simulations that do not align with expectations. Experts stress that the malicious nature of many EIP-7702 transactions lies in their ability to appear legitimate, making them particularly dangerous for inexperienced users. They recommend verifying domain names, avoiding rushed confirmations, and using only trusted platforms to mitigate the risk of falling victim to such scams [4].

The Ethereum Foundation has yet to implement specific countermeasures to address EIP-7702-related threats, despite ongoing concerns from the security community. Analysts have called for clearer guidelines on how users should handle batch transactions and for potential updates to wallet interfaces to highlight the risks more visibly. As the use of EIP-7702 continues to grow, so does the likelihood of more sophisticated attacks. The incident serves as a stark reminder of the evolving nature of crypto threats and the importance of user education in preventing large-scale losses.