Account abstraction angst: how the Pectra upgrade made life easier for hackers

Beyond a boost to Ethereum’s price, the May Pectra upgrade brought expanded functionality and improvements to the ecosystem. Among other things, it enhanced account abstraction (AA): a new type of transaction appeared, allowing ordinary addresses to function as smart-contract wallets. 

On the one hand, the changes broadened AA’s use cases and simplified the user experience; on the other, they gave hackers a way to drain victims’ wallets with a single signature. Here is how criminals are exploiting the new weaknesses—and how to protect your funds. 

The nature of the problem

Concerns about account abstraction’s risks were raised even before Pectra went live on mainnet. The original component was EIP-3074, which would “delegate control over EOA to a smart contract”. The idea was dropped in favour of what seemed a safer alternative at the time, EIP-7702 from Vitalik Buterin. 

EIP-3074 was criticised for handing virtually full control over a wallet to the smart contract that received delegation. This would allow attackers to empty a user’s balance with one signature. 

Traditional EOAs, once a wallet is connected to a protocol, require approval for every subsequent transaction. For example, on a DEX any trading action must be signed manually. EIP-3074 removed that need via the opcodes AUTH and AUTHCALL, but accounts became more vulnerable to malicious protocols. 

The rejected proposal handed control over an external address to a smart contract, whereas its replacement, EIP-7702, added smart-contract code to the EO​A. The initiative introduced a new transaction type, user_operation, and provided for permission revocation and compatibility with future AA upgrades.

Even Buterin spoke of critical shortcomings, including trust and centralisation risks:

“It seems that any proposal that aims to use EIP-3074 via ‘privilege de-escalation’ (also known as additional keys) will face a similar problem.”

He was right: moving code to the account level did not stop phishing attacks; if anything, it made them easier. 

Real-world cases 

Smart accounts allow complex actions within a single transaction, support spend limits, autopayments and paying gas in a native token instead of ETH. But what if hackers create a protocol that simply sends all your funds to their wallet—and all it takes is one signature? 

According to a Dune dashboard by Wintermute, since Pectra activated on May 7, delegations of EOAs to smart contracts have exceeded 140,000. Among known platforms, WhiteBIT, OKX Wallet and MetaMask lead by authorisations. 

The total number of smart contracts with delegation capability is 218. 

On May 20, analysts at GoPlus Security recorded one of the first AA phishing incidents. They analysed a suspicious smart contract and found that upon signing it instantly executed a function to auto-transfer assets from the victim’s wallet to the attackers’ address.

1/
On-chain data from https://t.co/yEVDjpXZOL shows 10K+ addresses using smart accounts. Below are the top 10 most-authorized 7702 Delegators: pic.twitter.com/akUzi7lPLo

— GoPlus Security ? (@GoPlusSecurity) May 20, 2025

On-chain data show the smart contract received about 300 authorisations. 

“A sophisticated theft mechanism. This complex attack leverages users’ trust in the new EIP-7702,” GoPlus noted.

The Wintermute dashboard also categorises delegator contracts. At present, about 72.8% are “crimes”. The second-largest category (15%) relates to retail wallets, and the third (9%) to “services”. 

On May 24, ScamSniffer reported an AA-phishing victim who lost about $146,000 in cryptocurrencies due to “malicious batch transactions”.

Meanwhile, a Web3 researcher found that the AngelFerno hacking group had added EIP-7702 support to a drainer it sells. The malware can simultaneously withdraw up to ten different coins with one signature on Ethereum, BNB Chain and Gnosis.

AngelFerno keeping up with the latest #EIP7702 developments

Teams like @MetaMask have already taken steps to protect you. Great explanations by @Kerberus @0xOhm_eth and others

What does this mean?

Summary:

A drainer update has been released adding Pectra (EIP-7702)… pic.twitter.com/T6d1mwkqRc

— 0xSaiyangod (@saiyangod0x) May 10, 2025

Self-defence tips

There are no universal ways to counter attackers when moving to a smart wallet—just as with traditional blockchain phishing. Still, cybersecurity experts agree on one thing: vigilance helps. 

Possible recommendations:

• authorise delegation only via official websites and plug-ins;
• do not follow suspicious links and do not trust emails that demand a signature to connect to a smart account;
• at the slightest suspicion, analyse the contract code yourself; 
• be vigilant when interacting with closed-source contracts; 
• double-check the authorisation address and do not rush to sign transactions;

GoPlus Security also noted that leading wallets such as MetaMask have already added risk warnings for EIP-7702. When interacting with a suspicious protocol, the app will display a corresponding notice. 

Conclusion

As users adopt enhanced wallet functions, attackers have spotted new ways to profit. That does not mean EIP-7702 is a failure—its strengths remain, not least a simplified UX. 

Interacting with blockchains has always come with personal responsibility for safeguarding assets, but account abstraction demands more vigilance than ever. Keep the risks and basic cybersecurity rules in mind if you plan to turn your wallet into a smart contract.