The latest upgrades of the Ethereum network, Pectra, introduced powerful new features aimed at improving the scalability and functioning of the wise account -but it also opened a dangerous new attack vector that could allow hackers to remove funds from the user’s purse using only an offchain signature.
Under upgrading PECTRA, that Went live on May 7 at Epoch 364032Attacks may exploit a new type of transaction to control external accounts (EOA) without asking the user to sign an onchain transaction.
Arda Usman, a Solidity Smart Contract auditor, confirmed to the cointelegraph that “it is possible for an attack to deplete an EOA’s funds using only an offchain -signed message (no direct transaction on the onchain signed by the user).”
At the heart of the risk is the EIP-7702, a key component of Pectra upgrading. The Ethereum improvement proposal introduces the Setcode transaction (Type 0x04), which gives users to dedicate control of their purse to another contract simply by signing a message.
If an attacking gets this signature – say, through a phishing site – they can overwrite the purse code with a small proxy passing calls to their malicious contract.
“When the code is set,” Usman explains, “the attack can invite that code to move the ETH or account tokens – all without the user signed a normal transfer transaction.”
Related: Ethereum Pectra upgrading adds new features
Wallets can be changed using offchain signature
Yehor Rudytsia, Onchain Researcher in Hacken, noted that the new type of transaction introduced by PECTRA provides the unjust code to be installed on the user’s account, essentially making a wallet a programmable smart contract.
“This TX type allows the user to set an unjust code (intelligent contract) to perform operations on behalf of the user,” Rudytsia said.
Prior to PECTRA, the purses could not be changed without a transaction that was signed directly by the user. Now, a simple offchain signature can install the code whose delegates are complete control over the contract of an attack.
“Pre-fectra, users need to send a transaction (not sign message) to allow their funds to be transferred … post-pectra, any operation can be performed from the contract approved by the user via set_code,” Rudytsia explained.
The threat is real and immediate. “Pectra active May 7, 2025. From that moment on, any proper signature of the delegation could act,” Usman warned. He added that wise contracts relying on outdated assumptions, such as using TX.Origin or primary EOA checks, are particularly vulnerable.
Wallets and interfaces that do not fail to detect or properly represent these new types of transactions are at risk. Rudytsia warns that “wallets are weak if they do not study Ethereum transactions,” especially the type of 0x04 transaction.
He emphasized that the wallet machines should clearly show delegation requests and reflect on any suspicious addresses.
This new form of attack can be easily carried out through standard Offchain contacts such as phishing emails, fake DAPPS, or discord scams.
“We believe this will be the most popular vector of attacks about these changes introduced by Pectra,” Rudytsia said. “From now on, users should carefully prove what they are going to.”
Related: PECTRA features already in use: Ethereum EIP-7702 Wallets Roll Out
Hardware wallets are no longer safer
Hardware wallets is no longer naturally safer, Rudytsia said. He added that hardware wallets from now on are at the same risk as hot wallets from the perspective of signing malicious messages. “If done – all the funds are gone for a moment.”
There are ways to stay safe, but they need awareness. “Users should not sign messages that they do not understand,” Rudytsia advised. He also urged purse developers to provide clear warnings when users were asked to sign a delegation message.
Special precautions should be taken using new delegation signature formats introduced by EIP-7702, which is not compatible with the existing EIP-191 or EIP-712 standards. These messages often appear as simple 32-byte hashes and can miss normal purse warnings.
“If a message includes your nonce account, it probably affects your account directly,” Usman warned. “Normal sign-in messages or Offchain promises are not usually involved in your nonce.”
Increasing the risk, EIP-7702 allows for signatures with chain_id = 0, meaning the signed message can be replayed to any chain compatible with Ethereum. “Understand that it can be used anywhere,” Usman said.
While Multisignature Wallets Stay safer under this upgrade, thanks to their requirements for many signers, single-key wallets-hardware or otherwise should adopt new Pare and Red-flag tools to prevent potential exploitation.
Next to EIP-7702, PECTRA also includes EIP-7251.
Magazine: Bitcoin eyes numbers, ‘JD Vance set for Bitcoin Talk: Hodler’s Digest, May 4 – 10
