In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
The interwebs are buzzing with rumors of a new vulnerability in Ethereum that lets cyberthieves drain wallets with an off-chain signature.
Fears have grown that a new democratizing feature enabled by the network’s recent Pectra upgrade could give fraudsters the power to take control of smart wallets – even without an on-chain transaction to trigger access.
There’s something to it, but like many things in crypto, the full picture is more nuanced. We look at Ethereum’s new smart wallet delegation feature and weigh the benefits against the risks.
Key Takeaways
- Ethereum’s recent Pectra network upgrade enabled a new feature called delegation.
- It allows smart wallet users to hand over some of their wallets’ technically complex powers to others, for a short period of time.
- Unfortunately, that also opens up the possibility of theft or wallet misuse, with at least one major loss being blamed on a malicious delegation message.
- Cybercriminals are on the case. The vast majority of delegation requests in the weeks after Pectra’s go-live have been fraudulent.
- Despite the worries, experts say the risk is easily avoided. Smart wallet delegation can work if you know exactly who you’re delegating to.
New Freedoms, New Risks
Ethereum’s May Pectra network update added a new mechanism that allows basic externally-owned accounts (EOAs) to behave like smart accounts for a designated period of time. But some experts have claimed that the added functionality exposes users to theft.
At the center of the controversy is Ethereum Improvement Proposal (EIP) 7702, one of nine individual EIPs wrapped together in two packages called Prague and Electra (e.g., ‘Pectra’). EIP-7702 introduces a transaction called SetCode that lets users give temporary control over their advanced smart wallet to a basic wallet owner, simply by signing a message.
Reminder guys: now with PECTRA ethereum upgrade, you only need to sign a message to get completely drained! Before, you actually had to sign the TX.
Be very careful of what you sign now – even an offchain message!
— Vladimir S. | Officer’s Notes (@officer_cia) May 7, 2025
The idea behind delegation is to give non-technical users access to powers like voting on network governance or taking part in a staking program without operating a validator node of their own. Delegation could be used to earn rewards, widen participation in blockchain governance, or manage permissions in DeFi environments.
For wallet companies, the feature creates opportunities to make user onboarding more frictionless. A special delegator toolkit lets developers streamline the wallet connection flow, making it easier for new users to get started. It also opens up possibilities like auto-recurring subscription payments and greater social coordination on purchases and crypto investments.
That all sounds great, but delegation also appears to have a weak link in the signature used to enable it. If a cyber thief were to get hold of the signature, perhaps via keystroke logger or phishing email, they could potentially use it to overwrite the wallet’s code, adding malware that forwards calls – and incoming ETH – to a second malicious contract.
How real is the threat? An analysis by digital asset firm Wintermute shows that almost all the wallet delegations currently happening post-Pectra are dodgy.
While EIP-7702 brings new convenience, it also introduces new risks
Our Research team found that over 97% of all EIP-7702 delegations were authorized to multiple contracts using the same exact code. These are sweepers, used to automatically drain incoming ETH from compromised… pic.twitter.com/xHp7zr4hC9
— Wintermute (@wintermute_t) May 30, 2025
The firm said in a post on X:
“While EIP-7702 brings new convenience, it also introduces new risks. Our Research team found that over 97% of all EIP-7702 delegations were authorized to multiple contracts using the same exact code.”
Dubbed “CrimeEnjoyor” by Wintermute researchers, the malicious code acts as a sweeper that attempts to automatically redirect ETH transfers and payments away from compromised wallets. The experts said:
“New primitives like EIP-7702 expand what is possible, but without verification, labeling, and transparency tools, it becomes harder to tell infrastructure from exploitation, especially for new users. It’s funny, bleak, and fascinating all at once.”
Digging Into the Threat
Did Ethereum drop the ball on delegation? The plan was to broaden access to Smart Wallet functionality. Smart wallets can do a lot of things that basic wallets (called externally owned accounts or EOAs) can’t. They give users more granular control over their digital assets and offer enhanced functionality like gas fee abstraction, batch transactions, and wallet use across different blockchains.
The problem is the programmable smart contracts they depend on. These require a fair bit of technical nous to configure and use. Ethereum’s user base has been asking for a simpler way to access smart wallet benefits, and EIP-7702 appears to be a step in that direction.
Unlike EOAs that use private keys for security, smart wallets use rules and custom logic to strengthen security at the transaction level. EIP-7702’s compromise is to create a members-only backdoor, effectively letting smart wallet owners delegate some of their functionality to someone else by signing a special message.
The question is: What happens if a criminal tricks you into signing a fake delegation message?
If a cyber thief has the private key to your crypto wallet, presumably they could take control, empty it, or use it to facilitate criminal activity – at least for the length of the session you’ve granted them.
The answer came on May 24 when Web3 cyber platform Scam Sniffer found that an EIP-7702 upgraded MetaMask wallet had been drained of more than $146,550.
🚨 ALERT: An address upgraded to EIP-7702 lost $146,551 through malicious batched transactions in phishing attack. pic.twitter.com/7GbamqOZVI
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) May 24, 2025
Further analysis by Blockchain security specialists SlowMist pegged the theft on an organized crime group called Inferno Drainer. Instead of using proven approaches like hijacking the wallet address or nicking seed phrases, the group was able to leverage wallet delegation to gain access. They convinced the user to sign a delegator contract that they had already registered.
The Weakest Link Might Be You
Still, one hack does not make a crime wave. Dissenters say the concerns are overstated. While EIP-7702 could provide a new attack surface for phishing scams, it doesn’t remove the need for wallet signatures or enable unauthorized access on its own.
Assigning someone temporary superpowers over a vault where you keep sums of money sounds dangerous – and clearly can be – but only if you’ve been duped into signing off a fraudulent delegation.
That’s not a blockchain failure; it’s more akin to an insider threat. As with many cyber vulnerabilities, the weakest link might be you. That’s something wallet software developers need to react to.
Ambire and Trust Wallet, the first two wallet companies to offer delegation features under EIP-7702, have already released patches and warnings.
Ambire does not automatically override existing delegations from other wallets 🤗 pic.twitter.com/Eq0Ky521nK
— ambire.eth (@AmbireWallet) May 22, 2025
Meanwhile, leading wallets like Ledger haven’t enabled, publicly at least, a way for signing EIP-7702 ‘tuples,’ the single-use permission slips smart wallet owners use to delegate access to others.
But that’s starting to change. Some wallet developer kits already come with a technique called signAuthorization that generates valid delegation signatures. These can bypass the EIP-1193 API standard for interacting with dApps and sending ETH for payments. As more wallets add smart wallet functions, the use of delegation via signature will likely spread.
While the current uproar might be overheated, smart wallet delegation via EIP-7702 is a threat vector that bears watching. Just as earlier Ethereum improvements have been used for evil, more MetaMask-type incidents could happen with EIP-7702.
Wallet makers are advised to follow Ambire’s lead and ensure their user interface makes explicit what the user is delegating – and to whom.
The Bottom Line
Back in February, crypto exchange Bybit suffered a billion-dollar ETH hack, one of the biggest crypto heists in history. The theft, enabled by a technique called “blind signing,” was a stark reminder of the vulnerabilities that can arise from network improvements intended to make crypto more accessible.
Like delegation, blind signing extends the benefits of smart contracts to non-technical users, giving them the option to approve a smart contract transaction without having to unpick all the fine details.
Most crypto wallet UIs can’t display a code-heavy signing message in a format the average layman can understand. Blind signing offered a workaround and a wide-open door for cybercrime.
While criticism of EIP-7702 is probably exaggerated (there isn’t a backdoor), there is a phishing risk if the wallet software you use doesn’t clarify the identity and scope of a delegation.
Top tip: avoid signing off on Ethereum smart contract messages that consist solely of 32-byte hex strings.
FAQs
What is EIP-7702?
What is blind signing?
What caused the Bybit hack?
References
- View @lobsters_chat (Telegram)
- EIP-7702 (Dune)
- EIP-1193: Ethereum Provider JavaScript API (Eips Ethereum)
- Safe.eth on X (X)
- How to Prevent the Next $1.5B Bybit Hack: A Strategic Approach to Solving Blind Signing (Blockaid)
