Frustration of Account Security: How the Pectra Update Became a Boon for Hackers

Disclaimer: For a comprehensive understanding of the technological aspects discussed in this article, the editorial team recommends exploring the materials on the site dedicated to account abstraction and Pectra upgrade.

In addition to providing a boost for the Ethereum price, the May Pectra upgrade also introduced enhanced functionality and improvements to the ecosystem. It specifically added to the technology of account abstraction (AA), enabling a new transaction type that allows standard addresses to operate like smart contract wallets.

While these innovations have broadened the applications of AA and simplified user experience, they have also exposed users to vulnerabilities, allowing hackers to drain victims’ wallets with just one signature. In this article, we discuss the new vulnerabilities exploited by criminals and how to secure your assets.

The risks associated with the account abstraction feature were highlighted prior to the Pectra activation in the mainnet. Initially, the upgrade included EIP-3074, which aimed to «delegate control over EOA to a smart contract.» However, it was ultimately rejected in favor of a seemingly safer option EIP-7702 proposed by Vitalik Buterin.

Critics of EIP-3074 raised concerns about transferring nearly total control over a user’s wallet to the smart contract with delegated access, enabling attackers to deplete a user’s balance using a single signature.

Traditional EOAs required approval for every subsequent transaction once a wallet was connected to a protocol. For instance, on a DEX, any trading action must be signed manually. EIP-3074 aimed to eliminate this need by utilizing the opcodes AUTH and AUTHCALL, making accounts more susceptible to malicious protocols.

The rejected proposal involved transferring control over an external address to a smart contract; however, the successor EIP-7702 incorporated the smart contract code into EO​A. This initiative introduced a new type of transaction called user_operation and also featured authorization revocation and compatibility with future updates of AA.

Nevertheless, even Buterin acknowledged severe shortcomings in the technology, including trust and centralization risks:

“It seems that any proposal suggesting EIP-3074 use cases through ‘privilege de-escalation’ (also known as additional keys) will encounter similar issues.”

He was right: migrating the code to the account level did not stop phishing attacks; rather, in some sense, it made them easier.

The capabilities of smart accounts enable complex actions within a single transaction, support spending limits, automate payments, and allow gas fees to be paid in the native token instead of ETH. But what if hackers devise a protocol that simply transfers all your funds to their wallet with just one signature?

According to a dashboard from Dune by Wintermute, since the activation of Pectra on May 7, the number of EOA delegations to smart contracts has surpassed 140,000. Leading platforms by authorizations include WhiteBIT, OKX Wallet, and MetaMask.

The total number of smart contracts capable of delegation rights stands at 218.

On May 20, GoPlus Security analysts reported one of the first phishing incidents involving AA. Experts examined a suspicious smart contract and found that signing it instantaneously triggered the automatic transfer of assets from the victim’s wallet to the attacker’s address.

On-chain data revealed that the smart contract received approximately 300 authorizations.

“This sophisticated theft mechanism exploits users’ trust in the new EIP-7702,” GoPlus noted.

The Wintermute dashboard also categorizes contracts for delegation. Currently, around 72.8% fall under “crimes,” with the second-largest category (15%) related to retail wallets, and a third (9%) pertaining to “services.”

On May 24, ScamSniffer analysts reported a victim of AA phishing, who lost about $146,000 in cryptocurrencies due to “malicious batch transactions.”

Concurrently, a Web3 researcher discovered that the hacker group AngelFerno had incorporated EIP-7702 support into a drain tool. This malware allows them to simultaneously withdraw up to ten different coins with a single signature across Ethereum, BNB Chain, and Gnosis networks.

So far, there are no universal strategies to combat cybercriminals when transitioning to a smart wallet, similar to traditional phishing in blockchain. However, all cybersecurity experts agree that vigilance is crucial.

Possible recommendations:

GoPlus Security also noted that leading wallets like MetaMask have already added warnings regarding risks associated with EIP-7702. When interacting with a suspicious protocol, the application will display a corresponding notification.

As users increasingly adopt enhanced wallet features, cybercriminals are discovering new avenues for profit. However, this doesn’t imply a failure for EIP-7702 — the innovation still possesses strong advantages and benefits, such as improved UX.

Interacting with the blockchain has always been closely tied to personal responsibility for safeguarding one’s assets, but account abstraction demands even greater attention than before. Stay aware of the risks and follow basic cybersecurity practices if you wish to transform your wallet into a smart contract.