The new smart wallet feature of Ethereum, EIP-7702, has come under scrutiny as hackers have been misusing it, discovered by blockchain security researchers. After the Pectra upgrade, various wallet providers have started incorporating the features of EIP-7702.

Wintermute analysts observed that attackers utilized 97% of EIP-7702 wallet delegations to deploy contracts intended to siphon funds from unsuspecting users. This update allows externally owned accounts to function as smart contract wallets temporarily, enabling transaction batching, spending limits, passkey integration, and wallet recovery without altering wallet addresses.

Although these enhancements were meant to improve user-friendliness, malevolent entities are exploiting the system to expedite fund extractions. Rather than manually transferring ETH from compromised wallets, attackers are now employing contracts to automatically redirect any received ETH to their own accounts.

Rahul Rumalla, Chief Product Officer at Safe, acknowledged that attackers are quick to utilize new capabilities, affirming that EIP-7702 has various beneficial applications besides being misused for theft.

Wintermute's analysis revealed that many wallet delegations pointed to similar codebases facilitating the sweeping of ETH from compromised wallets. The sweeping contracts autonomously transfer incoming funds to addresses controlled by attackers. Among the nearly 190,000 examined delegated contracts, a significant portion was associated with illicit activities.

Base Network's senior data analyst, Koffi, indicated that over a million wallets engaged with suspicious contracts recently. He clarified that the attackers leveraged EIP-7702 not for hacking wallets but for streamlining theft from wallets with exposed private keys.

One notable implementation involves a receive function triggering ETH transfers upon fund arrival in the wallet, eliminating the necessity for manual withdrawals. Yu Xian, founder of SlowMist blockchain security firm, confirmed that organized theft groups, rather than traditional phishing entities, are behind these exploits due to EIP-7702’s automation advantages for large-scale operations.

While there is evidence of extensive exploitation, no confirmed profits have been reported yet. Wintermute researchers observed attackers spending ETH to authorize numerous addresses, although the target addresses have not received any funds.