Wintermute warns Pectra upgrade leaves Ethereum users at risk of automated attacks
Quick Take
- An update included in Ethereum’s recent “Pectra” upgrade, intended to improve ease-of-use for users, has mostly been used by automated “sweeper” attacks to drain unsuspecting wallets, according to an analysis by Wintermute.
- Over 80% of EIP-7702 delegations, one function introduced in the upgrade, were devoted to a single malicious script, Wintermute found.
- One user lost nearly $150,000 to a phishing attack enabled by the script, according to blockchain security firm Scam Sniffer.
A recent Ethereum upgrade has mostly been used by malicious attackers seeking to drain wallets, according to an analysis by crypto trading firm Wintermute.
EIP-7702, an account-abstraction upgrade included in Ethereum's recent "Pectra" hard fork, is designed to improve ease of user experience by allowing wallets to temporarily behave like smart contracts, batching multiple actions, sponsoring gas fees, using passkey or social-authentication, or implementing spending limits in a single transaction. EIP-7702 was initially proposed and championed by Ethereum co-founder Vitalik Buterin.
However, over 80% of EIP-7702 delegations were authorized to multiple contracts with copy-pasted versions of the same basic code, which automatically "sweeps" wallets with leaked keys and sends the contents to the attacker who deployed the contract, according to Wintermute's Dune dashboard. Wintermute nicknamed the contract "CrimeEnjoyor."
"The CrimeEnjoyor contract is short, simple, and widely reused," Wintermute wrote on X. "This one copy-pasted bytecode now accounts for the majority of all EIP-7702 delegations. It’s funny, bleak, and fascinating at the same time."
Blockchain security firm Scam Sniffer recently identified a wallet that lost nearly $150,000 through a malicious batched transaction with links to the Inferno Drainer scam-as-a-service, a longtime nuisance in the crypto security space.
Security firm SlowMist also detailed the risks of EIP-7702 adoption in a recent analysis. "Wallet service providers should quickly support EIP-7702 transactions and, when users sign delegations, should prominently display the target contract to reduce the risk of phishing attacks," SlowMist wrote.
"As we predicted, the phishing gangs have caught up," wrote SlowMist founder Yu Xian on X. "Everyone should be vigilant, be careful that the assets in your wallet will be taken away."
Though EIP-7702 introduces a new way for automated attacks, security expert Taylor Monahan said the key issue was the underlying compromise of users' private keys.
"It's not actually a 7702 issue, its the same issue crypto has had since day one: end users struggle to secure their private keys," Monahan told the Block. "7702 just unlocks a bunch of cool abilities that make sweeping addresses more cost efficient and less tedious."
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
