The Pectra upgrade of the Ethereum network, which took place on May 7, introduced new capabilities to enhance scalability and smart account functionality, but also revealed a serious vulnerability allowing hackers to drain funds from user wallets.
New Features of Pectra Upgrade
The Pectra update includes a new feature, EIP-7702, which introduces a new transaction type, SetCode. This function allows users to delegate control of their wallet to another contract simply by signing a message, without requiring an onchain transaction signature.
Vulnerability from Offchain Signatures
According to Arda Usman, a Solidity smart contract auditor, an attacker can drain funds from a wallet using just an offchain signed message. If an attacker obtains such a signature, they can overwrite the wallet's code and send the funds to themselves without requiring the user's direct signature. 'This implies that an attack can be executed through phishing sites or other deceptive activities,' Usman explained.
Security Recommendations for Users
Experts advise users not to sign messages that they do not understand and to be vigilant regarding warnings associated with new signature formats. EIP-7702 allows for signatures with chain_id = 0, increasing the risk of replaying signatures on compatible chains. To protect their funds, users should carefully validate delegation requests and consider that even hardware wallets are now susceptible to these threats.
The Pectra upgrade introduces significant improvements in Ethereum functionality but also opens new potential security threats. Users must be particularly cautious and exercise care when handling new types of transactions.
