Ethereum Pectra Upgrade Might Enable Auto-Exploits, Wintermute Alerts
Wintermute warns that Ethereum’s Pectra upgrade introduces security gaps that could allow attackers to automatically steal user funds.
Crypto trading firm Wintermute raised concerns about Ethereum’s Pectra upgrade, specifically the EIP-7702 feature, which introduces more flexible and user-friendly wallets known as smart wallets.
According to Wintermute's analysis, Pectra introduces exploitation vulnerabilities that could lead to automated attacks.
Wintermute Introduces Solution to Warn of Ethereum Wallet Attacks
Wintermute research points out that 97% of EIP-7702 delegations use the same code. Delegations, which enable other contracts to act on someone’s behalf, allow users to temporarily hand over control of their wallets. This can be useful for automating actions like gas sponsorships and batching multiple transactions.
However, the “sweeper code” can allow attackers to automatically drain incoming ETH from compromised crypto wallets, says Wintermute. Researchers designed a warning system called CrimeEnjoyor to detect and alert users about threats targeting their wallets.
Wintermute translated the malicious low-level code (EVM bytecode) back into human-readable Solidity code and identified it as “CrimeEnjoyor” to reveal what it was designed to do. This helped them improve labels and warnings on their Dune dashboard, which also tracks EIP-7702 activity from platforms like Uniswap and MetaMask. Wintermute explains that CrimeEnjoyor verifies code and makes its intent visible, removing the need to detect malicious behavior through transaction patterns or metadata.
Related: What is Ethereum: An In-Depth Analysis
Preventing EIP-7702 Exploits Requires Security Solutions
Ethereum’s Pectra upgrade went live on the mainnet in early May 2025. Several weeks later, the blockchain security company Scam Sniffer reported that an EIP-7702 account had lost around $146,500 in a sophisticated phishing scam targeting wallet delegations.
The incident raised concerns about the EIP-7702 account abstraction feature, which allows externally owned accounts (EOAs) to act as smart contracts, giving them more flexible control over wallet operations. Yu Xian, founder of the security company SlowMist, wrote on X that attackers used creative and previously unseen methods to exploit this feature by leveraging MetaMask’s EIP-7702 delegator mechanism.
In their research, Wintermute notes that although primitives like EIP-7702 expand possibilities in crypto, enhanced transparency and security tools are needed to detect and prevent such attacks.
Besides EIP-7702, the Pectra upgrade also introduced improvements such as enhanced gas efficiency and a new staking limit mechanism.
Related: Who Are Ethereum Core Developers?
The content on The Coinomist is for informational purposes only and should not be interpreted as financial advice. While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, or reliability of any content. Neither we accept liability for any errors or omissions in the information provided or for any financial losses incurred as a result of relying on this information. Actions based on this content are at your own risk. Always do your own research and consult a professional. See our Terms, Privacy Policy, and Disclaimers for more details.
Articles by this author
