A regular topic in crypto news is safety and security for users. Even the largest cryptocurrency exchanges on the planet face challenges in keeping user data and wallets safe from attacks. Ethereum is unfortunately the latest to fall victim to a wallet-sweeping scam.
These scams attempt to coerce users into giving essential wallet information, effectively draining them of crypto assets in the process. One Ethereum user lost $146K because they signed a malicious EIP-7702 transaction.
Ethereum has taken steps to rectify the attack. By May 30, Ethereum had taken steps, partnering with crypto market maker Wintermute. The latter developed a tool that creates on-screen warnings when it detects malicious wallet-draining contracts.
Ethereum Account Abstraction Feature Exploited
The newest account abstraction feature deployed by Ethereum is unfortunately being turned against them and weaponized at scale. Analysis done by Wintermute shows that the majority of delegations under the newly implemented Ethereum EIP-7702 standard are being exploited. These attackers are using automated wallet-draining contracts to do the deed.
This upgrade is part of the rollout of the Pectra hard fork. Proposed by Ethereum co-founder Vitalik Buterin, this update gives wallets the ability to temporarily act like smart contracts. The goal was to streamline the overall user experience, enabling features like gas sponsorship, authentication methods, spending limits, and batched transactions within one delegation.
Unfortunately, malicious actors have been able to take advantage of this flexibility. According to Wintermute, it is estimated that more than 80% of those EIP-7702 delegations are now pointing to duplicated contracts that have been designed to sweep crypto out of the vulnerable wallets. It has since called this exploit pattern “CrimeEnjoyor,” denoting a contract whose efficiency and simplicity have made it a favorite of attackers.
Major Risks for Users
In addition to the findings of Wintermute, blockchain security firm Scam Sniffer has also seen activity. It flagged a wallet that lost close to $150K USD. The wallet was used in a malicious bundled transaction linked to Inferno Drainer, what is essentially a scam-as-a-service operation that targets EVM-compatible chains.
For now, the firm is simply recommending that users check any and all signature requests. Additionally, it recommends not rushing into signing any transactions. It is an imperfect measure, but one of the few options to counteract these threats so far.
On top of that, security firm SlowMist also urged providers to implement safeguards related to EIP-7702 right away. “Wallet service providers should quickly support EIP-7702 transactions and, when users sign delegations, should prominently display the target contract to reduce the risk of phishing attacks,” said the company.
Troubling Patterns
Research done by Wintermute shows even more troubling patterns emerging. As part of their analysis, it was determined that more than 97% of EIP-7702 delegations were being used in sweeping contracts that are identical in nature to “CrimeEnjoyor,” automatically draining ETH from any of the compromised addresses.
In a post on X, Wintermute said, “These are sweepers, used to automatically drain incoming ETH from compromised addresses.”
EIP-7702 was promoted as bringing a new level of convenience. It has also brought significant risk to the table. Wintermute and other cryptocurrency security companies are attempting to inject warnings to users. Wintermute was able to do this by reverse-engineering the Ethereum Virtual Machine (EVM) bytecode of these contracts into readable Solidity code, then verifying it publicly.
Because of this, most of these malicious contracts will now display a modified warning when activated. The lack of verification features as part of the EIP-7702 rollout has made it tougher for users, those who are new being the most vulnerable, to determine whether a contract is legitimate or malicious.
“This one copy-pasted bytecode now accounts for the majority of all EIP-7702 delegations,” Wintermute said. “It’s funny, bleak, and fascinating at the same time.”
Other Pectra-Related Changes
The rollout of Pectra comes with other changes, some of which are significant. EIP-7691 increased data block capacity in in order to lower fees and improve scalability for Ethereum layer-2 networks. EIP-725 elevated the validator staking limit, moving it from 32 ETH to 2,048 ETH.
Buterin last month revealed a new proposal that would make it for everyday users to be able to run Ethereum nodes. This would be done by reducing storage and hardware requirements that are currently necessary for syncing to the network.
Buterin has talked about a shift in how nodes are able to not only store, but retrieve data, making the move to a more user-centric, friendly model from the current full data replication model. Using this approach, nodes would only store data that is relevant to that user instead of using the entire global state of Ethereum.
Tips for Spotting Cryptocurrency Scams
The unfortunate nature of any investment, not just cryptocurrency, is that there are others seeking to take advantage of investors. This is unfortunately just the latest scam in a long line of them, especially related to cryptocurrency. If you want to avoid crypto scams in the future, it is imperative to know the signs.
Promises of Free Money/Guaranteed Returns
Some cryptocurrency scams feel like they can be seen from a mile away. Some are a lot more sophisticated, tougher for even experienced crypto vets to spot. But one of the biggest red flags to spot is a promise of guaranteed returns or even free money.
Simply put, no financial investment is a guarantee. Even the “safe” investments can face downturns. Any crypto asset that is promising returns is more than likely a scam. A simple tenant of life is, “If it seems too good to be true, it probably is.” Follow that and you’ll have a leg up on the scammers.
Lack of a White Paper
A white paper is a way for crypto projects to share all of the technical data backing its technology. It is an essential part of investing in crypto, a chance to learn on a deeper level about projects that sound interesting.
The lack of a white paper, or one that is poorly constructed, should throw up red flags. This is one of the most vital aspects of an initial coin offerings, explaining the design of the cryptocurrency and how it will work. White papers that don’t really touch on the subject are more than likely hiding something, so watch out.
Over-the-Top Marketing
Marketing is a normal part of running a business. After all, you could have the best product in the world, but no one will buy it if they have never heard of it. One way that fraudsters in the crypto space become active is by heavily marketing in paid influencers, online advertising, offline promotion, and more. There is a fine line between your average crypto promoting and something that raises red flags, so be careful.
When you see what feels like an overly saturated marketing plan, it is for a reason. That scheme is attempting to raise as much money as it can in as little time as possible. If a brand is making extravagant claims or coming across as heavy-handed with its marketing, take a step back and look further into the project. When in doubt, more information is always a good thing.
