The Ethereum blockchain forks today for changes to the Pectracode, introducing a set of new features, upgrades and vulnerabilities.
However, within an hour of the switch, officials had warned about the new threat vector: message signing.
“Beware of what you sign…it’s enough to drain all the tokens,” one user posted on the telegram. Another Ethereum user repeated the warning, saying, “You just need to sign the message to get fully ejected!”
Many other warnings Similar risks have been flagged.
The Ethereum Pectra upgrade included the Ethereum Improvement Proposal (EIP) 3074. These opcodes allow the owner of Ethereum’s private key to delegate permissions to a smart contract.
The developers called it an important step in achieving account abstraction. However, critics say that when theft of all assets in a user’s wallet delegated key management, it introduced a new phishing attack.
Careful Signature Ethereum Transactions and Messages
The co-author of EIP-3074 tried to calm the fear with a post published on Binance claiming that he “don’t notice” wallets that allowed them to sign improperly prefixed messages without user warning.
The transaction uses prefix 0x04, and the EIP author expects that all major Ethereum wallets will flag 0x04 messages with prominent warnings and notify the user of the vast power to allow multiple withdrawals, including the possibility of theft.
“The caller field for EIP-3074 signatures is very important,” they wrote in sole. “A bad caller can steal your funds.”
Read more: Seneca Protocol Hack Highlights Risks of Ethereum Token Authorization Mechanism
Today’s Pectra Fork also added the EIP-7702, raising even higher interests. Due to the power of EIP-7702, a single malicious signature is Temporarily delegate someone’s entire account to a third-party smart contract.
If the contract is malicious, it could potentially drain all assets (ETH, tokens, NFTs) at once.
The attack surface of the EIP-7702 is more widespread, in contrast to Pre-fectrapetra’s Ethereum transaction, as it exposes externally owned accounts (EOAs) to third-party temporary smart contract vulnerabilities.
This temporary delegation of executable code was not a pre-Pektra concern.
The warnings are growing across social media, but there have been no reports of successful theft of funds using the new Pectra-Response Attack Vector.
Most wallet providers like Metamask are prepared for Pectra and A notable warning has been added For EIP-3074 message signatures.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
