Ethereum (ETH) is a blockchain platform known for its ability to build smart contracts and (DApps) decentralized applications. To further improve the user experience and security, Ethereum has introduced the latest upgrade called Pectra, with a notable feature being EIP-7702. However, just a few weeks after this upgrade was rolled out, a serious problem emerged, causing security experts to question the balance between Ethereum's usability and security.
EIP-7702: Enhancing Convenience for Ethereum Wallets
The Pectra upgrade introduces EIP-7702, a feature that makes Ethereum wallets smarter and easier to use while enhancing security. Proposed by Vitalik Buterin, the founder of Ethereum, EIP-7702 allows wallets to temporarily function as smart contracts. This opens up a range of utilities, including:
Although these improvements provide a better user experience and enhance wallet security, EIP-7702 inadvertently creates a vulnerability for attackers to exploit.
Automated Attacks with EIP-7702: The Price of Simplification?
A few weeks after Pectra launched, automated attacks emerged exploiting the EIP-7702 feature. The attackers exploited a vulnerability in the use of the EIP-7702 delegation command, resulting in the withdrawal of funds from compromised wallets without user intervention.
A report from Wintermute found that more than 80% of EIP-7702 authorization orders are being used by a single malicious contract called CrimeEnjoyor. It is a short contract code, capable of copying and pasting, making it quick and easy for attackers to make transactions. Once the user has taken over access to the user's wallet (thường through đảo) scams, the attacker can withdraw the funds immediately to his wallet.
A typical incident recorded by the blockchain security company Scam Sniffer involves a user losing nearly 150,000 dollars in a single transaction. This is not an isolated case, as thousands of similar transactions have been reported, particularly related to the Inferno Drainer service – a well-known tool in the realm of automated attacks.
! Source: WintermuteAlthough EIP-7702 has been criticized for creating a major security loophole, the real problem is not with this feature. The core problem lies in the leakage or theft of the user's private key. EIP-7702 only helps attackers carry out these attacks quickly and less expensively.
Security companies like SlowMist have emphasized that the leakage of private keys is the main cause of attacks. Therefore, wallet providers need to improve the feature of displaying contract interactions and enhance layers of user protection. If these fundamental factors are not improved, advanced security features will not be able to be effective.
The future of Ethereum
As Ethereum continues to evolve and introduce new features, one of the important priorities is to design smarter wallets, with clear contract signing alerts and enhanced security measures. Advanced features like EIP-7702 can improve usability and user experience, but if the underlying security layers are not maintained, they can have the opposite effect.
One of the important factors in securing Ethereum is user education. Developers and security organizations need to pay more attention to guiding users on how to protect their private keys, while also warning them about the dangers of scams and automated attacks.
The Pectra upgrade of Ethereum with EIP-7702 promises to bring significant improvements for users, but at the same time, it also opens up some risks that cannot be overlooked. Although this feature supports more efficient gas management and transactions, if the fundamental security mechanisms are not improved, attackers will continue to exploit these vulnerabilities to carry out automated attacks.
It is important that Ethereum continues to develop not only in features but also in basic security. Advanced features can make it easier for users to utilize the blockchain, but without a solid security platform, these improvements could become an opportunity for bad actors instead of legitimate users.
The content is for reference only, not a solicitation or offer. No investment, tax, or legal advice provided. See Disclaimer for more risks disclosure.
Ethereum is paying the price for post-Pectra simplification - Details
Ethereum (ETH) is a blockchain platform known for its ability to build smart contracts and (DApps) decentralized applications. To further improve the user experience and security, Ethereum has introduced the latest upgrade called Pectra, with a notable feature being EIP-7702. However, just a few weeks after this upgrade was rolled out, a serious problem emerged, causing security experts to question the balance between Ethereum's usability and security.
EIP-7702: Enhancing Convenience for Ethereum Wallets
The Pectra upgrade introduces EIP-7702, a feature that makes Ethereum wallets smarter and easier to use while enhancing security. Proposed by Vitalik Buterin, the founder of Ethereum, EIP-7702 allows wallets to temporarily function as smart contracts. This opens up a range of utilities, including:
Although these improvements provide a better user experience and enhance wallet security, EIP-7702 inadvertently creates a vulnerability for attackers to exploit.
Automated Attacks with EIP-7702: The Price of Simplification?
A few weeks after Pectra launched, automated attacks emerged exploiting the EIP-7702 feature. The attackers exploited a vulnerability in the use of the EIP-7702 delegation command, resulting in the withdrawal of funds from compromised wallets without user intervention.
A report from Wintermute found that more than 80% of EIP-7702 authorization orders are being used by a single malicious contract called CrimeEnjoyor. It is a short contract code, capable of copying and pasting, making it quick and easy for attackers to make transactions. Once the user has taken over access to the user's wallet (thường through đảo) scams, the attacker can withdraw the funds immediately to his wallet.
A typical incident recorded by the blockchain security company Scam Sniffer involves a user losing nearly 150,000 dollars in a single transaction. This is not an isolated case, as thousands of similar transactions have been reported, particularly related to the Inferno Drainer service – a well-known tool in the realm of automated attacks.
! Source: WintermuteAlthough EIP-7702 has been criticized for creating a major security loophole, the real problem is not with this feature. The core problem lies in the leakage or theft of the user's private key. EIP-7702 only helps attackers carry out these attacks quickly and less expensively.
Security companies like SlowMist have emphasized that the leakage of private keys is the main cause of attacks. Therefore, wallet providers need to improve the feature of displaying contract interactions and enhance layers of user protection. If these fundamental factors are not improved, advanced security features will not be able to be effective.
The future of Ethereum
As Ethereum continues to evolve and introduce new features, one of the important priorities is to design smarter wallets, with clear contract signing alerts and enhanced security measures. Advanced features like EIP-7702 can improve usability and user experience, but if the underlying security layers are not maintained, they can have the opposite effect.
One of the important factors in securing Ethereum is user education. Developers and security organizations need to pay more attention to guiding users on how to protect their private keys, while also warning them about the dangers of scams and automated attacks.
The Pectra upgrade of Ethereum with EIP-7702 promises to bring significant improvements for users, but at the same time, it also opens up some risks that cannot be overlooked. Although this feature supports more efficient gas management and transactions, if the fundamental security mechanisms are not improved, attackers will continue to exploit these vulnerabilities to carry out automated attacks.
It is important that Ethereum continues to develop not only in features but also in basic security. Advanced features can make it easier for users to utilize the blockchain, but without a solid security platform, these improvements could become an opportunity for bad actors instead of legitimate users.
Taylor