EIP-7702’s Power Turned Weapon in New Phishing Wave

A cryptocurrency investor recently suffered a $1.54 million loss after falling victim to a phishing scam exploiting Ethereum’s EIP-7702 batch transaction standard. The stolen assets included wrapped Ethereum (wstETH), wrapped Bitcoin (cbBTC), and several other tokens. The attack leveraged a fraudulent decentralized finance (DeFi) interface mimicking legitimate platforms such as Uniswap, tricking the user into approving a transaction that concealed malicious transfers. Once confirmed, the attacker drained the wallet almost instantly [1].

The phishing method exploited the EIP-7702 batch transaction feature introduced in Ethereum’s Pectra upgrade, which allows multiple operations to be executed in a single transaction. While designed to improve efficiency for legitimate users, this feature has been weaponized by attackers. According to Scam Sniffer, the malicious transactions appeared normal to the user, who had not yet grasped the associated risks, leaving them vulnerable to asset loss [1].

Similar incidents have been reported recently, with attackers using the same tactics to siphon assets from unsuspecting users. For instance, earlier in the week, another investor lost approximately $1 million in NFTs and other tokens under nearly identical circumstances. The attack involved disguised Uniswap swaps that were, in reality, phishing contracts designed to misappropriate funds. Scam Sniffer emphasized that multiple victims have been identified, indicating a growing trend of phishing attacks targeting EIP-7702 upgraded addresses [1].

Blockchain security expert Yu Xiang of SlowMist highlighted the mechanics of the scam, explaining that victims open phishing websites, receive a wallet signature prompt, and click confirm, only to find their assets stolen moments later. The EIP-7702 feature allows wallets to act as temporary smart contracts, enabling complex transaction features such as gas sponsorship and spending limits. However, attackers have weaponized these capabilities, with Wintermute reporting that over 90% of EIP-7702 delegations were linked to malicious contracts [2].

Scam Sniffer and security experts have issued warnings, urging investors to exercise caution when approving batch transactions. Users are advised to verify the authenticity of the platforms they interact with, avoid approving overly broad permissions, and double-check domain names before signing transactions. Red flags include requests for unlimited token approvals, unexpected contract upgrades under EIP-7702, and transaction simulations that do not align with expectations. As the exploitation of EIP-7702 continues to evolve, the risk for investors remains high unless proper precautions are taken [2].

The growing frequency of such scams underscores the need for improved awareness among cryptocurrency users, particularly as new Ethereum transaction standards introduce novel risks. While EIP-7702 offers efficiency gains, its complexity presents opportunities for abuse. As attackers refine their techniques, the onus is on users to stay informed and adopt best practices to safeguard their digital assets [1].

Source:

[1] Crypto Investor Hit by $1.54M Loss in Phishing Scam Using EIP-7702 (https://coincentral.com/crypto-investor-hit-by-1-54m-loss-in-phishing-scam-using-eip-7702/)

[2] Crypto Investor Loses $1M in Uniswap Scam Exploiting Ethereum’s EIP-7702 (https://cryptoslate.com/crypto-investor-loses-1m-in-uniswap-scam-exploiting-ethereums-eip-7702/)

[3] Beware of EIP-7702 Phishing Batch Transaction Traps (https://www.bitget.com/news/detail/12560604927722)

[4] $2.8M Bitcoin Gone After UK Police Officer Impersonation Scam (https://cryptopotato.com/2-8m-bitcoin-gone-after-uk-police-officer-impersonation-scam/)

[5] Crypto Investor Loses $1.54 Million in Devastating Phishing Scam (https://u.today/crypto-investor-loses-154-million-in-devastating-phishing-scam)