EIP-7702 suffers first large-scale failure: QNT and ETH stolen, Pectra account abstraction mechanism becomes a breeding ground for phishing

📄Full Article· Automatically extracted by trafilaturaGemini 翻譯1724 words

The EIP-7702 account abstraction mechanism introduced in the Ethereum Pectra upgrade has been exploited on a large scale for the first time: attackers forged DeFi interfaces to trick users into signing authorization delegation transactions, silently draining QNT, ETH, and various other tokens. Security firm SlowMist has identified Inferno Drainer as the primary attack group, with over 15,000 wallets affected. (Previous coverage: Ethereum Pectra upgrade "hacker's paradise," Wintermute warns: EIP-7702 enables automated attacks via mass contract deployment) (Background: Securing the Ethereum EIP-7702 upgrade: A proxy pattern for safe EOA to smart wallet transition) From early warnings to real-world exploitation, EIP-7702 has traveled a much shorter path than the Ethereum community anticipated. The Ethereum Pectra upgrade officially went live on mainnet on May 7, 2025. EIP-7702 was regarded as a significant milestone for Account Abstraction—it allows Externally Owned Accounts (EOAs) to temporarily delegate execution rights to smart contracts by signing authorization messages. The design intent was to enable ordinary users to enjoy advanced features like batch transactions and gas sponsorship. However, as reported by Golden Finance on April 29, attackers have already utilized this mechanism to steal various tokens, including QNT (Quant) and ETH, marking the first large-scale real-world exploitation of a protocol-level vulnerability. The attack flow is not complex, yet it is extremely difficult for ordinary users to detect. Attackers first set up phishing interfaces mimicking well-known DeFi platforms like Uniswap and MetaMask, inducing users to sign seemingly normal "account upgrade" or "batch authorization" transactions. The issue lies in the authorization tuple design of EIP-7702: once a user signs, the account's execution rights are delegated to a malicious contract controlled by the attacker. The attacker then calls the execute() function to perform batch transfers of multiple tokens and setApprovalForAll operations for NFTs in a single transaction. The entire process is completed on-chain and is irreversible. Even more dangerous is that EIP-7702 allows for cross-chain signatures with chain_id=0, meaning the same phishing authorization can be replayed across all EVM-compatible chains—victims suffer losses on more than just one chain. Even hardware wallets are not immune: the problem lies in "what the user signed," not whether the private key is secure. Since the Pectra upgrade, losses from EIP-7702 phishing attacks have been climbing: - Largest loss in a single phishing event: $1.54M USD (a user signed a batch transaction involving multiple token transfers and NFT authorization operations) - Cumulative losses in August 2025: $12M, with over 15,000 wallets affected - January 2026 IPOR Fusion PlasmaVault exploit: Losses reached $267K–$336K - Over 97% of EIP-7702 authorizations point to malicious sweeper contracts SlowMist founder Yu Xian pointed out that phishing groups like Inferno Drainer and PinkDrainer have integrated EIP-7702 into their attack toolchains, disguising them as official platform batch operations, with attack efficiency far higher than traditional phishing methods. It is worth noting that market maker Wintermute issued a public warning early in the Pectra upgrade: the EIP-7702 authorization mechanism makes the automation of mass malicious contract deployment possible, allowing attackers to quickly replicate and deploy identical phishing contracts, thereby lowering attack costs. BlockTempo previously reported on this warning, yet events have unfolded exactly as Wintermute predicted. Data analysis shows that over 80% of malicious EIP-7702 authorizations use identical copy-paste contracts—attackers do not need advanced technical skills; they only need to mass-produce phishing pages. GoPlus Security urges users: only use EIP-7702 related features through official wallet interfaces; treat any external links, emails, or social media posts requesting an "upgrade to smart account" as scams. Before signing any authorization, always verify whether the delegation target is a known secure contract address, and abort immediately if encountering an unknown delegator request. SlowMist also advises users to regularly use tools like revoke.cash to revoke unknown EIP-7702 authorizations to prevent accounts from remaining exposed to risk. The launch of EIP-7702 is a key step in Ethereum's account abstraction roadmap, and it technically offers significant room for improvement in user experience. However, from warning to real-world exploitation, it took only a few months. This wave of attacks is re-testing an old problem: there is always a gap between the flexibility of protocol design and the security awareness

Data Status✓ Full text extractedRead Original (動區 BlockTempo)

🔍Historical Similar Events· Keyword + Asset Matching6 items

2026-04-27

ConsenSys and Joseph Lubin deposit 30,000 ETH into "DeFi United" to help resolve Aave's bad debt crisis

Similarity 320%標的 ETH關鍵字 eth同分類 zh

2026-04-27

Hot! Bitmine swept up another 100,000 ETH last week, with total holdings exceeding 5 million ETH, controlling 4.2% of the total circulating supply.

Similarity 320%標的 ETH關鍵字 eth同分類 zh

2026-04-27

Aave leads joint proposal from five major protocols: requesting Arbitrum DAO to unfreeze 30K ETH and deposit it into "DeFi United" to restore rsETH collateral

Similarity 320%標的 ETH關鍵字 eth同分類 zh

2026-04-26