Credit: Image generated with AI Assistance
Ethereum’s recent network update added a mechanism that gives basic wallets some smart wallet capabilities. But the interwebs are in panic mode over claims that cyberthieves could use the feature to drain user funds.
At the center of the storm is Ethereum Improvement Proposal (EIP) 7702, one of nine individual add-ons bundled into the blockchain’s Pectra update in May. EIP-7702 introduces a transaction called SetCode that lets users give temporary control over their advanced smart wallet to a basic wallet owner, simply by signing a message. Security analysts have claimed that the added functionality exposes users to theft.
Should ETH holders be worried? There is a vulnerability, but like many things in crypto the full picture is nuanced.
Democratizing access
The idea is to give non-technical users access to advanced smart wallet powers, things like like voting on network governance or taking part in staking without operating a validator node. Delegation can be used to earn rewards, widen participation in blockchain governance, or manage permissions in DeFi environments.
For wallet developers the feature promises to make user onboarding more frictionless. A special delegator toolkit lets dev teams streamline the wallet connection flow, making it easier for new users to get started. It also opens up possibilities like auto-recurring subscription payments and greater social coordination on purchases and crypto investments.
Sounds great, but delegation appears to have a weak link. If a cyber thief were to get hold of the enabling signature, perhaps via keystroke logger or phishing email, they could potentially use it to overwrite the wallet’s code, adding malware that forwards calls – and incoming ETH – to a second malicious contract.
An analysis by digital asset firm Wintermute shows that almost all the wallet delegations currently happening post-Pectra are dodgy.
“While EIP-7702 brings new convenience, it also introduces new risks. Our Research team found that over …