Ethereum Pectra upgrade opens wallets to $2.1 million offchain attack

Ethereum’s (CRYPTO:ETH) Pectra upgrade, activated on May 7, introduced new features aimed at enhancing scalability and smart account functionality but also created a critical security vulnerability.

At the center of this risk is EIP-7702, which allows users to delegate control of their wallets by signing an offchain message, known as the SetCode transaction (type 0x04).

Security auditor Arda Usman confirmed that attackers can exploit this feature to drain funds from externally owned accounts (EOAs) using only an offchain signed message, without the user signing any onchain transaction.

If an attacker obtains the user’s signature, for example through phishing, they can overwrite the wallet’s code with a proxy contract that forwards calls to malicious contracts.

“This lets the attacker transfer out the account’s ETH or tokens—all without the user ever signing a normal transfer transaction,” Usman explained.

Onchain researcher Yehor Rudytsia noted that this upgrade effectively turns wallets into programmable smart contracts, allowing arbitrary code to be installed with a simple offchain signature.

Before Pectra, modifying wallets required a signed onchain transaction by the user.

Now, any operation can be executed from the delegated contract approved via the SetCode transaction.

Wallets and interfaces that do not support or properly display this new transaction type are particularly vulnerable.

Rudytsia warned that wallets must analyse Ethereum’s transaction types carefully and clearly warn users of delegation requests.

Hardware wallets are no longer inherently safer, as they face the same risks if users sign malicious messages unknowingly.

Users are urged to avoid signing messages they do not fully understand and to verify delegation requests carefully.

EIP-7702 signatures may appear as simple 32-byte hashes and can bypass standard wallet warnings, increasing the risk of exploitation.

Additionally, signatures with chain_id = 0 can be replayed across Ethereum-compatible chains, broadening the attack surface.

While multisignature wallets remain more secure due to multiple signer requirements, single-key wallets must adopt enhanced signature parsing and alert mechanisms.

Alongside EIP-7702, Pectra also raised validator staking limits and improved Layer 2 scalability, but the new attack vector demands urgent attention from users and developers alike.

At the time of reporting, the Ethereum (ETH) price was $2,516.10.