The Double-Edged Sword of Account Abstraction: Pectras Upgrade Paves the Way for Hackers

Disclaimer: For a comprehensive understanding of the technological aspects discussed in this article, the editorial team recommends reading the materials on our site related to account abstraction and the Pectra upgrade.

The recent May Pectra upgrade has not only influenced the Ethereum price but also brought expanded functionality and improvements to the ecosystem. Notably, it enhanced account abstraction (AUZ) technology, introducing a new type of transaction that allows regular addresses to operate similarly to smart contract wallets.

On one hand, these innovations have broadened the scope of AUZ applications and simplified user experience; on the other, they have provided hackers with the means to drain victims’ wallets using just a single signature. In this article, we delve into the new vulnerabilities exploited by criminals and how to secure your assets.

Experts had already raised concerns about the heightened risks associated with account abstraction before the activation of Pectra on the mainnet. The initial component of the upgrade was EIP-3074, which aimed to “delegate control over EOA to a smart contract.” However, this proposal was shelved in favor of a seemingly safer alternative EIP-7702 suggested by Vitalik Buterin.

Criticism of EIP-3074 stemmed from its ability to essentially hand over total control of a wallet to the delegated smart contract, enabling attackers to deplete a user’s balance with a single signature.

Traditional EOA wallets require users to approve each transaction after connecting to a protocol. For instance, on a DEX, every trading action necessitates manual signing. EIP-3074 removed this need with opcodes like AUTH and AUTHCALL, but made accounts more susceptible to malicious protocols.

The rejected proposal would have delegated control of the external address to a smart contract, whereas the succeeding EIP-7702 incorporated the smart contract code into the EO​A. This initiative introduced a new transaction type called user_operation, allowed for permission revocation, and ensured compatibility with future AUZ updates.

Nonetheless, even Buterin acknowledged the critical flaws in the technology, which include risks related to trust and centralization:

“It seems any proposal suggesting the use of EIP-3074 through ‘privilege escalation’ (also known as extra keys) will face similar issues.”

He was correct; the shift of code to the account level did not halt phishing attacks; in fact, it arguably made them easier in some respects.

The capabilities of smart accounts allow users to execute complex actions within a single transaction, supporting spending limits, autopayments, and gas payments in native tokens instead of ETH. But what if hackers design a protocol that simply transfers all your funds to their wallet? This could be achieved with just one signature.

From the dashboard on Dune by Wintermute, since the activation of Pectra on May 7, the number of EOA delegations to smart contracts has surpassed 140,000, with the highest number of authorizations found on well-known platforms like WhiteBIT, OKX Wallet, and MetaMask.

The total number of smart contracts created with delegation capabilities stands at 218.

On May 20, GoPlus Security analysts reported one of the first phishing incidents involving AUZ. Their examination of a suspicious smart contract revealed that signing it would immediately trigger an automatic transfer of assets from the victim’s wallet to the attacker’s address.

On-chain data showed that the smart contract received approximately 300 authorizations.

“This sophisticated theft mechanism utilizes users’ trust in the new EIP-7702,” stated GoPlus.

The Wintermute dashboard also categorizes contracts for delegation; currently, about 72.8% fall into the “criminal” category. The second-largest category (15%) relates to retail wallets, while the third (9%) pertains to “services.”

On May 24, ScamSniffer analysts disclosed a victim of AUZ phishing who lost around $146,000 in cryptocurrencies due to “malicious batch transactions.”

Simultaneously, a Web3 researcher found that the hacking group AngelFerno had integrated EIP-7702 functionality into a drainware product. This malware allows for the simultaneous transfer of up to 10 different coins with one signature across Ethereum, BNB Chain, and Gnosis networks.

Currently, there are no universal methods to combat malicious actors when transitioning to a smart wallet, similar to the challenges faced with traditional blockchain phishing. However, all cybersecurity experts agree that vigilance is key.

Possible recommendations include:

GoPlus Security noted that leading wallets like MetaMask have already implemented warnings about risks associated with EIP-7702. When interacting with suspicious protocols, the application will display the relevant alerts.

As users increasingly transition to the extended functionalities of wallets, malicious actors are discovering new ways to profit. However, this does not mean the EIP-7702 is a failure; the innovation still possesses strong points and benefits, such as enhancing user experience.

Engaging with blockchain has always been closely linked to personal responsibility for safeguarding one’s assets, but account abstraction demands even greater attentiveness than before. Be mindful of the risks and fundamental cybersecurity principles if you choose to convert your wallet into a smart contract.