The most recent update to Ethereum, known as Pectra, brought advanced new capabilities designed to enhance scalability and smart account functions. However, this upgrade also created a significant security risk, potentially enabling attackers to siphon funds from user wallets with just an off-chain signature.
In the Pectra upgrade, which
went live on May 7 at epoch 364032
Attackers could leverage a newly introduced transaction type to seize control of externally owned accounts (EOAs) without needing the user to authorize an on-chain transaction.
Arda Usman, a Solidity smart contract auditor, told Cointelegraph that “an attacker can now withdraw an externally owned account’s funds simply through an off-chain signed message without requiring the user to sign an on-chain transaction directly.”
The main point of concern is EIP-7702, an integral part of the Pectra update. This Ethereum Improvement Proposal brings forth the SetCode transaction (transaction type 0x04). It allows users to transfer control over their wallets to another contract just by signing a message.
If an attacker gains access to this signature—say, through a phishing site—they can replace the wallet’s code with a compact proxy that reroutes requests to their malevolent smart contract.
“As soon as the code is established,” Usman clarified, “the hacker can activate this code to move out the funds from the account’s ETH or tokens—completely bypassing the usual step where a user would sign off on a standard transfer transaction.”
Related:
The Ethereum Spectre update introduces new functionalities.
Wallets can be altered with offchain signature
Yehor Rudytsia, onchain researcher at Hacken, noted that this new transaction type introduced by Pectra allows arbitrary code to be installed on the user’s account, essentially turning their wallet into a programmable smart contract.
“This transaction type enables the user to establish custom code (smart contract) so as to facilitate operations on their behalf,” Rudytsia explained.
Prior to Pectra, modifying wallets required a transaction with a direct signature from the user. However, now a straightforward off-chain signature can enable code installation that grants full control over the wallet to a malicious contract.
“Before Pectra, users had to initiate transactions—not just sign messages—to enable the movement of their funds… After Pectra, any operation can be carried out through the contract once the user has approved it using SET_CODE,” Rudytsia clarified.
The danger is genuine and imminent. “Pectra was initiated on May 7, 2025. As of that date, every legitimate delegation signature can be enforced,” Usman cautioned. He further noted that smart contracts depending on obsolete presumptions, like employing tx.origin or simpleEOA-only verifications, are especially at risk.
Wallets and interfaces that cannot identify or accurately display these new transaction types are most susceptible to risks. Rudytsia cautioned that “wallets face vulnerabilities if they do not examine Ethereum’s various transaction types,” particularly those of type 0x04.
He emphasized that wallet engines must clearly display delegation requests and flag any suspicious addresses.
This novel type of assault can be readily carried out via typical off-chain activities such as phishing emails, counterfeit decentralized applications, or scam tactics on Discord.
We think this will become the primary method of attack concerning these new alterations implemented by Pectra,” Rudytsia stated. “Henceforth, users must meticulously verify what they are about to endorse.
Related:
Pectra includes currently implemented features such as Ethereum EIP-7702 wallet integration.
Hardware wallets are no longer considered more secure.
Hardware wallets
Rudytsia stated that they are no longer intrinsically safer. He further mentioned that hardware wallets now face the same risks as hot wallets when it comes to signing malicious messages. “Once executed—if everything is carried out—all the funds vanish instantly.”
Staying secure involves being vigilant. “Individuals shouldn’t endorse messages unless they fully comprehend them,” Rudytsia cautioned. Additionally, he encouraged wallet creators to issue explicit alerts whenever signatures for delegations are requested from users.
Special caution should be taken with new delegation signature formats introduced by EIP-7702, which are not compatible with existing EIP-191 or EIP-712 standards. These messages often appear as simple 32-byte hashes and may bypass normal wallet warnings.
If a notification contains your account nonce, it likely means your account is being impacted directly,” Usman cautioned. “Typical login alerts or external pledges generally do not include your nonce.
Introducing an additional layer of risk, EIP-7702 permits signatures with chain_id = 0, which implies that the signed message could potentially be reused across any Ethereum-based network. “Recognize that it has broad applicability,” Usman stated.
While
multisignature wallets
stay safer with this update, as multi-signature requirements force single-key wallets—whether hardware or not—to implement updated signature analysis and alert systems to thwart possible exploits.
Alongside EIP-7702,
Pectra also included EIP-7251
, which increased Ethereum’s validator staking cap from 32 to 2,048 ETH, and EIP-7691, which boosts the quantity of data blobs per block for enhanced layer-2 scalability.
Magazine:
Bitcoin anticipates ‘astronomical figures,’ JD Vance scheduled for Bitcoin discussion: Hodler’s Digest, May 4 – 10
Discover more from newsonblockchain.com
Subscribe to get the latest posts sent to your email.
