A sophisticated phishing campaign exploiting Ethereum’s newly introduced EIP-7702 feature has resulted in the loss of at least $1.54 million from a single victim, highlighting the unintended security consequences of the network’s latest protocol upgrade. The incident, first flagged by anti-fraud service Scam Sniffer on May 30, 2025, adds to a growing list of exploits targeting the EIP-7702 delegation mechanism that was activated as part of the Pectra upgrade earlier in the month.
The Exploit Mechanics
EIP-7702, a proposal co-authored by Vitalik Buterin, was designed to enhance wallet functionality by allowing Externally Owned Accounts (EOAs) to temporarily behave like smart contracts. This capability enables batch transaction processing and more efficient multi-operation execution within a single transaction. However, this same functionality has been weaponized by attackers who create fraudulent DeFi interfaces mimicking platforms such as Uniswap.
When victims interact with these counterfeit interfaces, they are prompted to sign what appear to be routine transactions. In reality, these batched transactions contain hidden token transfer authorizations and NFT approval operations. Once signed, the attacker gains the ability to drain the victim’s wallet almost instantaneously. The most recent victim lost a combined total of $1.54 million after approving EIP-7702 phishing batch transactions, with portions of the stolen funds subsequently bridged to Ethereum Mainnet via Relay Protocol.
Market maker Wintermute published findings on May 30 revealing that over 97 percent of all EIP-7702 delegations were linked to malicious contracts using identical code. These contracts, nicknamed “CrimeEnjoyors,” are automated sweeper scripts that scan delegated wallets for vulnerabilities and systematically siphon funds to attacker-controlled addresses. The scripts operate by silently batching fraudulent token approvals in patterns that are difficult for average users to detect.
Affected Systems
The scope of the EIP-7702 exploitation extends beyond a single incident. Scam Sniffer confirmed at least three separate victims during May 2025 alone. Two days before the $1.54 million theft, another investor lost approximately $1 million in tokens and NFTs after signing phishing batch transactions disguised as Uniswap swaps. Earlier in the month, an EIP-7702 upgraded address was drained of $66,000 by the same attack group using an identical exploit methodology.
On May 24, blockchain security firm SlowMist reported that a user lost roughly $150,000 in Ethereum to a phishing attack leveraging a malicious contract using EIP-7702 delegation. With Bitcoin trading near $104,000 and Ethereum at approximately $2,530 on May 30, the total value at risk from these exploits has drawn significant attention from the broader crypto community.
The Mitigation Strategy
Security researchers have outlined several defensive measures for users engaging with EIP-7702-enabled wallets. SlowMist recommends cautious transaction signing, verification of all target contracts before delegating access, and avoidance of suspicious decentralized applications. The firm stresses that users must thoroughly understand what they are approving before signing batch transactions, as the complexity of EIP-7702 operations makes it easier for malicious activities to be concealed within seemingly legitimate operations.
Wallet providers are also being urged to implement clear warning systems during the delegation process. These warnings could serve as an additional layer of protection by alerting users when they are about to authorize potentially dangerous contract interactions. The Ethereum Foundation, which announced a one trillion dollar security program on May 14, has yet to issue specific guidance addressing the EIP-7702 vulnerability pattern.
Lessons Learned
The EIP-7702 exploits underscore a fundamental tension in blockchain development: the trade-off between functionality and security. While the Pectra upgrade’s batch transaction capability offers genuine improvements to user experience, it simultaneously creates a new attack surface that malicious actors have proven adept at exploiting. The speed at which attackers weaponized this feature — within weeks of its activation — demonstrates the sophistication of the current threat landscape.
For the broader Ethereum ecosystem, these incidents highlight the importance of comprehensive security audits for protocol-level changes. As EOAs gain smart contract capabilities through EIP-7702, the security assumptions that users have relied upon for years must be reevaluated. What was once a simple key-management problem has evolved into a complex contract-interaction challenge.
User Action Required
Anyone who has interacted with EIP-7702 delegation features should immediately audit their active delegations using blockchain explorers. Users should revoke any delegations to unrecognized contracts, avoid signing batch transactions from unverified sources, and consider using hardware wallets for high-value transactions. The safest approach is to use only trusted applications and verify every permission granted during each transaction, batched or otherwise.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any investment decisions.
Vitalik co-authored the EIP and users still got phished for $1.54M. the gap between protocol design and UX reality is the real vulnerability
cold_wallet_ken vitalik wrote the EIP for better UX and the first real world use was a $1.54M drain. sad but predictable
This is exactly what some of us warned about when EIP-7702 was proposed. Giving EOAs smart contract capabilities temporarily is cool for UX, but it opens up a massive attack surface for sophisticated phishing. Users just blindly sign transactions without understanding the implications. We need better wallet-level warnings before this rolls out wider.
you can warn all you want, people will still blindly sign. need simulation previews in wallets by default, not optional
moonraker_ rabby wallet does transaction simulation for free and people still skip past the warnings. you cant fix users who click through 3 confirmation screens
spec_gas rabby simulates for free and people still skip the warning. you genuinely cannot fix users who want to click fast
Man, seeing $1.54M drained like this is rough, but I still think the Pectra upgrade is a huge step forward for Ethereum. Account abstraction is the only way we get mass adoption. The tooling just needs to catch up so these phishing scams can’t easily trick people into delegating their accounts to malicious contracts.
Another day, another million-dollar exploit on ETH lol. I swear every time they try to make things ‘easier’ for users, it just gives scammers new ways to drain wallets. Stay safe out there and stop signing random sketchy links on Twitter!
this isnt about making things easier, its about enabling batch txs and gas sponsorship. the attack vector is real but the solution isnt to stop shipping features, its better simulation in wallets
It’s unfortunate to see early exploits of EIP-7702 features, but this is the painful part of pushing boundaries on mainnet. The flexibility of batching operations and sponsoring gas is incredible. Wallet providers will definitely learn from this incident and improve their transaction simulation UIs. Short term pain for long term gain.
short term pain for long term gain is easy to say when its not your $1.54M. the UX has to get better before mass adoption, period
katya is right. $1.54M gone because the delegation UI looked like a normal approve tx. account abstraction is useless if the average user cant tell a malicious delegation from a legitimate one
chain_saw_ the delegation tx looked identical to a normal approve. no wallet flags it because technically its a valid EIP-7702 call