Quick overview

Live ETH/USD Chart

---

Pectra, Ethereum’s most recent network upgrade, brought strong new features to enhance scalability and smart account functionality.

However, it created a risky new attack vector that might enable hackers to take money from user wallets with just an on-chain signature.

Solidity smart contract auditor Arda Usman confirmed the security vulnerability to Cointelegraph.

Attackers can take control of externally owned accounts (EOAs) by taking advantage of a new transaction type in the Pectra upgrade, which went live on May 7 at epoch 364032, without the users signing on-chain transactions. It becomes possible for an attacker to drain an EOA’s funds using only an off-chain signed message (no direct on-chain transaction signed by the user).

EIP-7702 is a critical component of the Pectra upgrade and is at the center of the potential threat. By signing a message, users can grant control of their wallet to another contract through the SetCode transaction (type 0x04), which is outlined in the Ethereum Improvement Proposal.

If an attacker obtains this signature, perhaps through a phishing website, they can replace the wallet’s code with a small proxy that redirects calls to their malicious contract. In contrast, with Pectra, wallets cannot be altered without a transaction signed by the user.

These days, code that gives an attacker total control over a contract can be installed with a straightforward off-chain signature.