Ethereum’s latest network upgrade, Pectra, introduced powerful new features aimed at improving scalability and smart account functionality — but it also opened a dangerous new attack vector that could allow hackers to drain funds from user wallets using only an offchain signature.
Under the Pectra upgrade, which went live on May 7 at epoch 364032, attackers can exploit a new transaction type to take control of externally owned accounts (EOAs) without requiring the user to sign an onchain transaction.
Arda Usman, a Solidity smart contract auditor, confirmed to Cointelegraph that “it becomes possible for an attacker to drain an EOA’s funds using only an offchain signed message (no direct onchain transaction signed by the user).”
At the center of the risk is EIP-7702, a core component of the Pectra upgrade. The Ethereum Improvement Proposal introduces the SetCode transaction (type 0x04), which enables users to delegate control of their