World Liberty Financial’s WLFI token began trading on September 1, 2025, but the celebration was cut short as hackers exploited a vulnerability in Ethereum’s EIP-7702 feature to drain compromised wallets of their newly acquired tokens. SlowMist founder Yu Xian was among the first to flag the attacks, noting that multiple victims reported losing WLFI holdings through a sophisticated delegation exploit that left them with nothing.
The Exploit Mechanics
The attack leverages EIP-7702, a feature introduced in Ethereum’s Pectra upgrade in May 2025. EIP-7702 was designed to simplify wallet operations by allowing externally owned accounts to temporarily act as smart contracts, enabling batch transactions and enhanced functionality. However, attackers found a devastating way to weaponize this capability.
The attack unfolds in several carefully orchestrated stages. First, hackers obtain the victim’s wallet private key, typically through phishing campaigns that have become increasingly sophisticated. Once they have access, they deploy a malicious delegate contract on the compromised address. This contract lies dormant until the user funds the account — whether by receiving WLFI tokens from the token launch or depositing ETH for gas fees. The moment funds arrive, an automated bot triggers and transfers all assets to the attacker’s address.
What makes this exploit particularly insidious is its silent nature. Victims have no idea their wallet has been compromised until they attempt to use their funds, at which point everything is already gone.
Affected Systems
The WLFI token launch created a perfect storm for this vulnerability. Participation in the World Liberty Financial presale required users to maintain whitelisted wallets — many of which had been compromised long before the September 1 trading launch. On the project’s governance forums, victims described desperate races against automated draining bots. One user managed to withdraw only 20% of their WLFI holdings before the bot swept the remaining 80%. Those tokens remain locked in compromised wallets, and users fear they will be stolen immediately upon unlocking.
The problem extends beyond WLFI itself. Bubblemaps, a blockchain analytics firm, discovered several smart contracts mimicking well-known crypto projects in the wake of the token launch, suggesting coordinated fraud campaigns capitalizing on the hype surrounding the Trump family-linked DeFi project.
The Mitigation Strategy
Yu Xian has outlined a recovery path for affected users. The recommended approach involves canceling or replacing the malicious delegate contract in the compromised wallet with a legitimate one, then immediately transferring all remaining assets to a new, clean address. However, this requires technical expertise and swift action — two things that many victims lack.
For the broader ecosystem, the incident highlights the urgent need for better security tooling around EIP-7702. Wallet providers should implement delegate contract scanning features that alert users to unauthorized delegations before they fund their accounts. Protocol teams launching tokens should consider offering migration tools for users whose whitelisted wallets may have been previously compromised.
Lessons Learned
The EIP-7702 exploit underscores a fundamental tension in blockchain development: features designed for user convenience can become attack vectors when combined with existing vulnerabilities like phishing. The Pectra upgrade’s account abstraction capabilities were meant to improve the user experience, but they also expanded the attack surface in ways that were not fully anticipated.
With Bitcoin trading above $109,000 and Ethereum near $4,314 at the time of the attack, the financial stakes of wallet security have never been higher. The crypto industry must balance innovation with security, ensuring that new features undergo rigorous threat modeling before deployment.
User Action Required
Anyone who participated in the WLFI token sale or holds funds in wallets that may have been exposed to phishing should immediately check their EIP-7702 delegation status. Tools like Revoke.cash can help identify and remove unauthorized delegations. If you suspect compromise, transfer all assets to a freshly generated wallet and ensure your private keys have not been leaked through phishing sites, clipboard malware, or fake browser extensions. The cost of caution is always lower than the cost of recovery.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making investment or security decisions.
whitelisted wallets being compromised before the WLFI launch and nobody caught it. the phishing was done months in advance. these are patient attackers
the phishing setup months before launch is the scary part. they knew exactly when WLFI would drop and had wallets primed
months of patient setup for a single launch day exploit. these are state-level patient operations, not random script kiddies
EIP-7702 letting delegated contracts lie dormant until funds arrive is a design flaw not a feature. should have had a timelock
The industry needs standardized security audit frameworks
Social engineering attacks are becoming more sophisticated
Olga Petrov EIP-7702 delegation was supposed to improve UX. instead it gave attackers a silent drain mechanism that activates only when funds arrive
the worst part is the delegation looks totally normal in onchain data. no red flags until wallets start draining
eip-7702 delegated accounts are a security nightmare masquerading as UX improvement. the attack surface is enormous
the real bug is that EIP-7702 lets any compromised key delegate to arbitrary code with no cooldown. a 24 hour timelock would have killed this attack vector entirely
Bug bounties are the most cost-effective security investment
Bridge security is still the weakest link in the ecosystem
WLFI launching on pectra before anyone understood the delegation risks was irresponsible. the ethereum foundation shipped a loaded gun and told everyone to point it at themselves