It is a section from 0xresearch newsletter. To read full versions, subscribe.
One of my solidity developer friend reached the signal on the second day in a tizzy. “I can’t believe it,” he wrote. “How did Etharium developers let this happen?”
He was referring to one Recent Articles Anxiety about the pectra upgrade of Ethereum-especially EIP-7702- and the hackers “the ability to draw a wallet with only an offchin signature”. This piece is tied on X/Twitter, it seems, although not by those I follow. Fear was clearly stocked into some circles that a new transaction type enabled the attackers to seize the control of the purse without an onchane transaction or even the user’s knowledge.
But like many things in Crypto, both reality is more fine – and less dramatic.
On May 7, the recent pectra upgrade of the active atherium introduced a powerful mechanism, which enables externally owned accounts (EOAS) to function temporarily like smart accounts. But the rollout is accompanied by breathing claims that it exposes users to some crazy new risk.
Those headlines are misleading. While EIP-7702 can introduce a new attack surface for fishing, it does not bypass the signs of the wallet or allow unauthorized access to the signs. Instead, it signs a special message for temporary superpowers. But if that message comes in the wrong hands, one can take control – such as handing over a private key to your wallet for a single session.
Looks dangerous, and it can be, but only if a user is cheated in signing a malicious delegation. This is not a protocol failure, but wallet software has something to take care of publishers.
Security Researcher And Purse Constantly replied for 7702. For example, with support for convenience, the ambirement and Trust Wallet issued a patch or warning. Wallets who do not support 7702 are not sudden unsafe. But confusion Spread For example, viral tweets claimed the hardware wallet “no longer safe,” in EIP -7702.
Will Henesi, a product manager of the Alchemi, pushed back firmly on that story:
“This is a non-dust for the last users,” he told Blockworks. “No wallet supports signing of arbitrary delegations, nor is there a wallet RPC for a DAPP to request an arbitrary delegation signature.”
That is right … today. Mainstream wallet EIP-7702 Authorities such as Metamasks and Laser do not reveal a method to sign the tuples-a time-use word for permission slip, signed by the wallet owner.
But he is starting to change. Embedded wallet SDK-which includes its own account kit of Alchemi-first includes a method called Signatharization that makes a valid EIP-7702 signature. These products can bypass EIP -1193 Standard completely by bundling your own provider. As wallets begin to support smart accounts basically, this functionality will probably spread.
“The article describes a message signing a message with a wallet from a malicious website,” Hensi said, “But it is not possible for any website to request the EIP -7702 delegation signature from an external wallet.”
Keep an eye on this danger vector. Just as the existing standards have been exploited in “blind signing” attacks, similarly the same can happen with EIP -7702 if the wallet you are not clear about what the user is handing and for whom.
TL; DR- The criticism of 7702 as “auto-drain” danger is exaggerated. There is no magical back door, and the attackers still need your signature. But the fishing risk is there if the wallets do not show clear contracts, n one And the scope of a delegation.
So, opaque 32-light hex stars, do not sign people. Fasting wallets that request EIP-7702 and follow the representative contract. Pectra opens the door for powerful smart account facilities, but remember, with great power …
Get news in your inbox. Explore blockwork newsletters:
