A new feature in the Ethereum network, EIP-7702, which introduces account abstraction to wallets for improved user interface and smart contract functionality emulation, has unfortunately opened a door for hackers. While this innovation is designed to simplify transactions and enhance security, its introduction also triggered an increase in malicious activities targeting these newly exploited functionalities. EIP-7702 enables wallets to temporarily emulate smart contracts, offering features like batch transactions and spending controls linked to various authentication processes. These improvements aim to streamline core transactions and boost security as championed by Ethereum co-founder Vitalik Buterin. However, this newfound capability has also been exploited by criminals to their advantage, leading to significant losses for users.
Analysis of over 4/5th of EIP-7702 delegations revealed a worrying trend where these fraudulent “CrimeEnjoyor” contracts have become prevalent. These cleverly designed cloned contracts allow hackers to manipulate wallets by redirecting digital assets from vulnerable points within them, posing considerable risks for users. The simplicity and widespread use of the “CrimeEnjoyor” contract highlight the ironic vulnerability inherent in EIP-7702’s design.
Blockchain security firms like Scam Sniffer and SlowMist have reported significant asset losses for users, with one individual losing roughly $150,000 through a single transaction utilizing batch processing and phishing tactics.
To address this issue, it is critical that users remain vigilant about unauthorized or unverified transaction requests and carefully examine signature prompts in digital wallets to avoid security traps. Wallets providers are urged to implement robust security protocols for smooth transitions of EIP-7702.
For instance, wallet providers should integrate defenses quickly against these emerging threats. They must also prioritize clear disclosures around intended contract delegations to prevent phishing risks and enhance user awareness.
It’s crucial for users to exercise caution and for wallet service providers to strengthen their security frameworks to minimize potential financial losses caused by these vulnerabilities.