Ethereum wallets upgraded to EIP-7702 Smart Account have lost $146,551 on various members against phishing scammers. A fraud sniffer from a blockchain security company reported the incident and noted that funds were stolen through malicious batched transactions.
According to the company, victim 0xC6D289D signed a malicious batching transaction, allowing attackers to suck up their funds. The con man used 0xc83de81a and 0x33dad2b to perform the attack.
Following the incident, cybersecurity expert Yu Xian pointed out that the phishing exploits were extremely creative and identified the drainer of Inferno, the popular phishing group behind the incident. The group publicly claimed it had been closed, but a recent report from Checkpoint’s investigation shows that malware usage is common and has been used to steal more than $9 million in crypto assets over the past six months.
Xian, founder of blockchain security company Slow Mist, pointed out that the scammers did not switch externally owned account (EOA) addresses to phishing addresses. Instead, I completed batch approval phishing and stealing tokens using the Metamask EIP-7702 Delegator mechanism.
He said:
“What I’m a bit creative about is that this time the user’s EOA address was not switched to the 7702 contract address through phishing. That is, the delegated address is not the phishing address, but the metamask that existed a few days ago: EIP-7702 delegator OX63C0C19A2.”
This makes the incident even more complicated than previous attempts to exploit the EIP-7702 feature. Through mechanisms, attackers can select tokens and steal them from the victim’s address. Xian added that this shows how phishing gangs continue to find new and creative ways to steal users’ funds. Therefore, crypto users should be careful not to lose their assets.
As to how an attacker can compromise a user’s wallet, he explained that it is likely that the victim had visited the phishing website, and that he accidentally approved the operation without paying attention.
Phishing scammers exploiting EIP-7702
This incident raises more questions about the security of the EIP-7702 account abstraction feature introduced in the Pectra upgrade a few weeks ago. Many people have adopted it since its introduction, with WinterMute Research’s Dune analysis data showing more than 48,000 delegations.
This feature allows Ethereum users to temporarily enable the Smart Contract Wallet feature in externally owned accounts (EOAs) by delegating controls to the address where they want to run their code.
In general, EOAS is a basic Ethereum account that does not have the capabilities of gas sponsorship, alternative authentication, transaction batches, etc. These features allow users to get an improved experience from the same basic account.
However, users are at new risk due to what was intended to improve the user experience. A significant number of authorized 7702 delegators are malicious contracts that steal users’ funds, with Dune Analytics data tagging 36.3% of 175 representative contracts as criminal.
According to Goplus Security, funds sent to the affected EOA will be automatically redirected to the scammer’s address. This allows phishing attackers to steal funds intended for the infected address.
Users have urged themselves to protect themselves from phishing scams
Meanwhile, the emergence of new threat vectors has led to experts calling for crypto users to be more vigilant. Xian pointed out that users need to check for unusual permissions for the token and make sure they are not delegated to the phishing address.
He confirmed this by viewing the authentication record via the block browser and advised that such approvals could be cancelled by switching to a wallet that supports EIP-7702.
Metamask warning for users (source: Goplus Security)
MetaMask, the leading Ethereum wallet, warns users against external links or emails that require users to upgrade their wallet to their smart contract account. The wallet pop-up said the prompt to switch to a smart account is within the wallet.
Web3 security company Goplus also highlighted important safety measures, including checking approval addresses, verifying contract source code, and being cautious about source contracts that do not open.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
