Ethereum’s ambitious Pectra upgrade, launched on May 7, 2025, at epoch 364032, has inadvertently ushered in a potential security nightmare. The upgrade, which aimed to enhance scalability and smart account functionalities, now poses a severe risk to user wallets, allowing hackers to drain funds using an offchain signature.
A Double-Edged Sword
Pectra’s introduction of the SetCode transaction (type 0x04) through EIP-7702 has sparked concern among security experts. This new feature, while revolutionary in allowing users to turn their wallets into programmable smart contracts, also opens up a dangerous attack vector. According to Arda Usman, a noted Solidity smart contract auditor, hackers can exploit this by using an offchain signed message to confiscate control of externally owned accounts (EOAs). “Once the code is set,” Usman explains, “the attacker can invoke that code to transfer out the account’s ETH or tokens—all without the user ever signing a normal transfer transaction.”
Yehor Rudytsia, an onchain researcher at Hacken, elaborates on the gravity of the situation: “This transaction type allows arbitrary code to be installed on the user’s account, essentially turning their wallet into a programmable smart contract.” Before Pectra, such a modification required a transaction signed directly by the user. Now, an offchain signature suffices, making wallets vulnerable to phishing attacks and other scams. This aligns with Vitalik Buterin’s vision for Ethereum: Pectra, Glamsterdam and beyond, which emphasizes the transformative potential of such upgrades.
The Underbelly of Innovation
The Pectra upgrade’s new transaction types present a unique challenge for wallet developers and users alike. Rudytsia warns that “wallets are vulnerable if they do not analyze Ethereum’s transaction types,” particularly the newly introduced type 0x04. Wallet interfaces that fail to recognize or properly display these delegation requests stand at significant risk. Rudytsia further emphasizes the necessity for wallet engines to clearly flag suspicious addresses and delegation requests to prevent unauthorized access.
Interestingly, the upgrade has leveled the playing field between hardware and hot wallets. “Hardware wallets are not inherently safer anymore,” Rudytsia points out, underlining that they are now equally susceptible to signing malevolent messages. This development comes at a time when multi-wallet usage is up 16%, but AI may address crypto fragmentation gap, highlighting the evolving landscape of wallet security and management.
Navigating the Storm
The crypto community must adapt swiftly to mitigate these risks. Users are advised to exercise extreme caution and avoid signing messages they do not fully understand. Rudytsia suggests that wallet developers incorporate clear warnings when users are prompted to sign delegation messages, especially with the new EIP-7702 format. These messages, often appearing as simple 32-byte hashes, can bypass traditional wallet alerts, as they are not compatible with existing EIP-191 or EIP-712 standards.
Usman adds that users should be wary of messages including their account nonce, as these are likely to have direct ramifications on their accounts. Furthermore, the possibility of message replay across any Ethereum-compatible chain due to chain_id = 0 raises additional concerns.
Looking Ahead
While multisignature wallets offer a buffer against these vulnerabilities, single-key wallets must urgently adopt new signature parsing and red-flagging protocols. The Pectra upgrade also incorporated EIP-7251, increasing Ethereum’s validator staking limit from 32 to 2,048 ETH, and EIP-7691, which enhances layer-2 scalability by allowing more data blobs per block. These changes hold positive implications for Ethereum’s future, yet the immediate security implications cannot be overlooked.
As the crypto world grapples with Pectra’s unintended consequences, one thing is clear: vigilance and innovation are crucial. Users and developers alike must navigate this complex landscape, balancing the potential of new technologies against their inherent risks. How the community responds will shape Ethereum’s trajectory in the months to come.
Source
This article is based on: Pectra lets hackers drain wallets with just an offchain signature
Further Reading
Deepen your understanding with these related articles:
- Ethereum bulls show interest as traders’ confidence in ETH’s $1.8K level improves
- Bitcoin DeFi will have 300M users, beating Ethereum and Solana: Exec
- Tokenized Apollo Credit Fund Makes DeFi Debut With Levered-Yield Strategy by Securitize, Gauntlet
Steve Gregory is a lawyer in the United States who specializes in licensing for cryptocurrency companies and products. Steve began his career as an attorney in 2015 but made the switch to working in cryptocurrency full time shortly after joining the original team at Gemini Trust Company, an early cryptocurrency exchange based in New York City. Steve then joined CEX.io and was able to launch their regulated US-based cryptocurrency. Steve then went on to become the CEO at currency.com when he ran for four years and was able to lead currency.com to being fully acquired in 2025.
