Wintermute: EIP-7702 in Pectra Upgrade is Being Maliciously Exploited, Over 80% of Authorizations Used for Automated Attacks

According to a report by Jinse Finance, Wintermute recently issued a warning that the EIP-7702 feature (account abstraction improvement) in Ethereum's Pectra upgrade is being maliciously abused, with over 80% of authorizations used for automated attacks. Blockchain security company Scam Sniffer recently detected that a user lost nearly $150,000 due to a phishing attack. The attacker deployed a copy-paste contract named "CrimeEnjoyor," which can automatically empty wallets with leaked private keys. EIP-7702, proposed by Ethereum founder Vitalik Buterin, aims to enhance user experience by temporarily enabling wallets with smart contract functions, including batch processing of multiple transactions, sponsoring gas fees, using biometric/social verification, and setting single transaction limits. According to Wintermute's Dune dashboard, the vast majority of EIP-7702 authorizations are directed towards malicious contracts with the same functionality. Security expert Taylor Monahan pointed out that EIP-7702 makes it "cheaper and easier" to empty addresses. Wintermute commented, "It's both ridiculous and cruel that the same copied bytecode occupies most of the EIP-7702 authorizations." Previously, it was reported that SlowMist founder Yu Jian stated that the largest users of Ethereum's new mechanism EIP-7702 are coin-stealing groups (rather than phishing organizations). EIP-7702 allows funds to be automatically transferred from wallets with leaked private keys or mnemonic phrases through authorization, with over 97% of EIP-7702 delegations pointing to coin-stealing contracts.