The latest network upgrade from Ethereum, Pectra, introduced powerful latest functions to enhance scalability and intelligent account functions -but it also opened a dangerous latest attack vector with which hackers can drain money from user letter bags from only one offchain signature.
As a part of the PECTRA upgrade, which went live at Epoch 364032 on May 7, attackers can reap the benefits of a brand new transaction type to take control of external accounts (EOAS) without the user having to sign an onchain transaction.
Arda Usman, a wise contract auditor from Solidity Smart Contract, confirmed CoinTelegraph: “It becomes possible that an attacker can drain the funds of an EOA with just one offchain -digned message (no direct directing transaction signed by the user).”
At the middle of the danger is EIP-7702, a core component of the PECTRA upgrade. In the proposal for improving Ethereum, the SetCode transaction (type 0x04) is introduced, with which users can delegate control of your wallet to a different contract by simply signing a message.
If an attacker receives this signature -for example via a phishing location -, he can overwrite the code of the wallet with a small deputy who forwards the calls to his malicious contract.
“As soon because the code is about,” said Usman, “the attacker can call this code to transfer the ETH or token of the account – every part without the user who has ever signed a standard transmission transaction.”
Source: Vladimir S. | Notes of the officer
Arrivals could be modified with offchain signature
Yehor Rudytsia, Onchain researcher at Hacken, found that this latest transaction type, which was introduced by PECTRA, could be installed an arbitrary code within the user's account and essentially transforms your wallet right into a programmable smart contract.
“This TX type enables the user to find out arbitrary code (Smart Contract) in such a way that they will perform operations on behalf of the user,” said Rudytsia.
In front of Pectra, items couldn’t be modified with no transaction directly signed by the user. An easy offchain signature can now install code that delegates complete control to the contract of an attacker.
“Pre-perktra, users needed to send transactions (not drawing points) in order that their means might be moved. Post-Pectra could be carried out by the contract that users approved via SET_CODE,” said Rudytsia.
The threat is real and immediate. “Pectra prompts on May 7, 2025. From that moment on, every valid delegation signature could be implemented,” warned Usman. He added that intelligent contracts based on outdated assumptions, e.g.
Entry pockets and interfaces that don’t recognize these latest transaction types or represent properly are most in danger. Rudytsia warned that “wallets are susceptible in the event that they don’t analyze the transaction forms of Ethereum”, especially the transaction type 0x04.
He emphasized that briefing engines must clearly indicate delegation requests and mark suspicious addresses.
This latest type of the attack can easily be carried out by common offchain interactions comparable to Phishing -E emails, fake dapps or discord fraud.
“We imagine that it’ll be the preferred attack vector in relation to this changes introduced by Pectra,” said Rudytsia. “From now on, users must fastidiously validate what they may sign.”
Hardware money exchanges aren’t any longer safer
Hardware letters aren’t any longer safer, said Rudytsia. He added that any further on hardware money exchanges from the angle of signing malicious messages are exposed to the identical risk as hot wallets. “When it’s finished, the funds have disappeared at a moment.”
There are ways to be secure, but they require awareness. “Users mustn’t sign the messages they don't understand,” Rudytsia advised. He also asked the Arasch pockets to submit clear warnings if users are asked to sign a delegation message.
Particular caution ought to be taken with the brand new delegation signature formats introduced by EIP-7702, which should not compatible with the prevailing EIP-191 or EIP-712 standards. These messages often appear as a straightforward 32-byte hashes and might handle normal warnings for the wallet.
“If a message incorporates your account, this can probably affect your account directly,” warned Usman. “Normal registrations or offchain obligations often don’t include their nonce.”
In order so as to add to the danger, EIP-7702 signatures with Chain_ID = 0, which suggests that the signed message could be repeated on any Ethereum-compatible chain. “I understand that it could actually be used anywhere,” said Usman.
While multi-signature letter pockets are safer because of their requirement to several signatories, one-key letter bag hardware or other wise-new tools for parsing and red flagging must tackle potential exploitation.
In addition to EIP-7702, PECTRA also comprised EIP-7251, which increased the validator setting limit from Ethereum from 32 to 2,048 ETH and EIP-7691, which increases the number of knowledge blobs per block for higher scalability of shift-2.
