The latest upgrade of the Ethereum network, Pectra, has introduced new powerful features aimed at improving scalability and intelligent account features – but it has also opened a new dangerous attack vector that could allow hackers to drain the funds from user wallets using only an off -chain signature.
Under the Pectra upgrade, which was put online on May 7 at Epoch 364032, the attackers can operate a new type of transaction to take control of the accounts (EOA) externally without requiring the user that they sign an onchain transaction.
Arda Usman, a solidity smart contract auditor, confirmed to Cintelegraph that “it becomes possible for an attacker to empty the funds of an EOA using only a message signed outside the chain (no direct onchain transaction signed by the user).”
In the center of risk is EIP-7702, a central component of the Pectra upgrade. The Ethereum improvement proposal introduces the Setcode transaction (type 0x04), which allows users to delegate their portfolio to another contract simply by signing a message.
If an attacker obtains this signature – say, via a phishing site – he can crush the portfolio code with a small proxy which transmits calls to their malicious contract.
“Once the code is defined,” said Usman, “the attacker can invoke this code to transfer the ETH or the account tokens – everything without the user signing a normal transfer transaction.”
In relation: The upgrade of Ethereum Pectra adds new features
Portfolios can be modified with a signature out of chain
Yehor Rudytsia, ONCHAIN researcher at Hacken, noted that this new type of transaction introduced by PECTRA allows you to install an arbitrary code on the user’s account, essentially transforming their portfolio into a programmable intelligent contract.
“This TX type allows the user to define the arbitrary code (intelligent contract) to be able to perform operations in the name of the user,” said Rudytsie.
Before Pectra, the wallets could not be modified without a transaction signed directly by the user. From now on, a simple signature outside chain can install code which delegates complete control to the contract of an attacker.
“Pre-training, users had to send a transaction (no sign message) to allow their funds to be moved … Postra, any operation can be executed from the contract that the user has approved via set_code,” said Rudytsie.
The threat is real and immediate. “Pectra activated on May 7, 2025. From that moment, any valid delegation signature is usable,” warned Usman. He added that intelligent contracts based on obsolete hypotheses, such as the use of TX. Origin or basic EOA verifications, are particularly vulnerable.
Portfolios and interfaces that do not detect or properly represent these new types of transactions are most at risk. Rudytsia warned that “portfolios are vulnerable if they do not analyze the types of Ethereum transactions”, in particular the type of transaction 0x04.
He stressed that portfolio engines should clearly display delegation requests and report all suspicious addresses.
This new form of attack can be easily executed thanks to common unleashing interactions such as phishing emails, false DAPPs or discorders of discord.
“We believe that it will be the most popular vector of attack on these rupture changes introduced by Pectra,” said Rudytsie. “From now on, users must carefully validate what they are going to sign.”
In relation: Pectra features already used: ETHEREUM EIP-7702 portfolios exceed
Material portfolios are no longer safe
Material portfolios are no longer intrinsically safer, said Rudytsie. He added that the material portfolios are now at the same risk as hot wallets from the point of view of the signing of malicious messages. “If that makes – all the funds have disappeared in a moment.”
There are ways to stay safe, but they require consciousness. “Users should not sign the messages they don’t understand,” said Rudytsie. He also urged portfolio developers to provide clear warnings when users are invited to sign a delegation message.
Special prudence must be provided with new delegation signature formats introduced by EIP-7702, which are not compatible with existing EIP-191 or EIP-712 standards. These messages often appear as simple hunts of 32 bytes and can bypass normal wallet warnings.
“If a message includes your nonce account, this probably affects your account directly,” warned Usman. “Normal connection messages or off -chain commitments generally do not imply your nuncio.”
Adding to the risk, EIP-7702 allows signatures with chain_id = 0, which means that the message signed can be replayed on any Ethereum compatible channel. “Understand that it can be used anywhere,” said Usman.
While multisignure portfolios remain secure under this upgrade, thanks to their requirement for several signatories, mono -key key wallets – equipment or other – must adopt new signature and red ballot analysis tools to prevent potential exploitation.
In addition to the EIP-7702, Pectra also included the EIP-7251, which noted the implementation limit of the Ethereum validator from 32 to 2,048 ETH, and EIP-7691, which increases the number of data blobs per block for better evolution of layer 2.
Review: Bitcoin Eyes’ Crazy Numbers, JD Vance set for Bitcoin Talk: Hodler’s Digest, May 4 to 10
