Pectra lets hackers drain wallets with just an offchain signature
Ethereum's Pectra upgrade, launched on May 7, 2025, enhances scalability and smart account functionality but introduces a significant security vulnerability. The upgrade allows attackers to drain funds from externally owned accounts (EOAs) using only an offchain signature, without requiring an onchain transaction. This risk stems from EIP-7702, which enables users to delegate wallet control via a signed message. If an attacker obtains this signature, they can install malicious code on the wallet, allowing them to transfer funds without user consent. Wallets that do not properly analyze new transaction types, particularly type 0x04, are at heightened risk. Hardware wallets are now as vulnerable as hot wallets regarding malicious message signing. Users are advised to avoid signing unfamiliar messages and to be cautious with new delegation signature formats. While multisignature wallets remain more secure, single-key wallets must implement new security measures to mitigate exploitation risks. The upgrade also includes EIP-7251 and EIP-7691, enhancing validator staking limits and layer-2 scalability.
