{"id":24373,"date":"2025-05-29T17:30:00","date_gmt":"2025-05-29T14:30:00","guid":{"rendered":"https:\/\/forklog.com\/en\/account-abstraction-angst-how-the-pectra-upgrade-made-life-easier-for-hackers\/"},"modified":"2025-05-29T17:30:00","modified_gmt":"2025-05-29T14:30:00","slug":"account-abstraction-angst-how-the-pectra-upgrade-made-life-easier-for-hackers","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/account-abstraction-angst-how-the-pectra-upgrade-made-life-easier-for-hackers\/","title":{"rendered":"Account abstraction angst: how the Pectra upgrade made life easier for hackers"},"content":{"rendered":"
\n

Disclaimer:<\/strong> to fully grasp the technical aspects, we recommend reading materials on <\/em>account abstraction<\/em> and <\/em>the Pectra upgrade<\/em><\/a>.\u00a0<\/em><\/p>\n<\/div>\n

Beyond a boost to Ethereum\u2019s price, the May Pectra upgrade brought expanded functionality and improvements to the ecosystem. Among other things, it enhanced account abstraction (AA): a new type of transaction appeared, allowing ordinary addresses to function as smart-contract wallets.\u00a0<\/p>\n

On the one hand, the changes broadened AA\u2019s use cases and simplified the user experience; on the other, they gave hackers a way to drain victims\u2019 wallets with a single signature. Here is how criminals are exploiting the new weaknesses\u2014and how to protect your funds.\u00a0<\/p>\n

The nature of the problem<\/h2>\n

Concerns about account abstraction\u2019s risks were raised<\/a> even before Pectra went live on mainnet. The original component was EIP-3074<\/a>, which would \u201cdelegate control over EOA<\/span> to a smart contract\u201d. The idea was dropped in favour of what seemed a safer alternative at the time, EIP-7702<\/a> from Vitalik Buterin.\u00a0<\/p>\n

EIP-3074 was criticised for handing virtually full control over a wallet to the smart contract that received delegation. This would allow attackers to empty a user\u2019s balance with one signature.\u00a0<\/p>\n

Traditional EOAs, once a wallet is connected to a protocol, require approval for every subsequent transaction. For example, on a DEX any trading action must be signed manually. EIP-3074 removed that need via the opcodes AUTH<\/span> and AUTHCALL<\/span>, but accounts became more vulnerable to malicious protocols.\u00a0<\/p>\n

The rejected proposal handed control over an external address to a smart contract, whereas its replacement, EIP-7702, added smart-contract code to the EO\u200b<\/span>A. The initiative introduced a new transaction type, user_operation, and provided for permission revocation and compatibility with future AA upgrades.<\/p>\n

Even Buterin spoke of critical shortcomings, including trust and centralisation risks:<\/p>\n

\n

\u201cIt seems that any proposal that aims to use EIP-3074 via \u2018privilege de-escalation\u2019 (also known as additional keys) will face a similar problem.\u201d<\/em><\/p>\n<\/blockquote>\n

He was right: moving code to the account level did not stop phishing attacks; if anything, it made them easier.\u00a0<\/p>\n

Real-world cases\u00a0<\/h2>\n

Smart accounts allow complex actions within a single transaction, support spend limits, autopayments and paying gas in a native token instead of ETH. But what if hackers create a protocol that simply sends all your funds to their wallet\u2014and all it takes is one signature?\u00a0<\/p>\n

According to a Dune<\/a> dashboard by Wintermute, since Pectra activated on May 7, delegations of EOAs to smart contracts have exceeded 140,000. Among known platforms, WhiteBIT, OKX Wallet and MetaMask lead by authorisations.\u00a0<\/p>\n

\"Account
Source: Dune.\u00a0<\/figcaption><\/figure>\n

The total number of smart contracts with delegation capability is 218.\u00a0<\/p>\n

On May 20, analysts at GoPlus Security recorded one of the first AA phishing incidents. They analysed a suspicious smart contract and found that upon signing it instantly executed a function to auto-transfer assets from the victim\u2019s wallet to the attackers\u2019 address.<\/p>\n

\n

1\/
On-chain data from https:\/\/t.co\/yEVDjpXZOL<\/a> shows 10K+ addresses using smart accounts. Below are the top 10 most-authorized 7702 Delegators: pic.twitter.com\/akUzi7lPLo<\/a><\/p>\n

\u2014 GoPlus Security ? (@GoPlusSecurity) May 20, 2025<\/a><\/p><\/blockquote>\n