Hackers are systematically exploiting Ethereum’s EIP-7702 upgrade to steal World Liberty Financial tokens from Donald Trump’s crypto project , according to SlowMist security researchers. The attacks leverage a vulnerability in the May Pectra upgrade that allows externally owned accounts to delegate control to smart contracts, enabling attackers to plant malicious code that instantly drains all incoming ETH and tokens. World Liberty Financial Becomes Latest Victim of Ethereum Exploit According to SlowMist, multiple WLFI token holders have lost their assets after hackers combined private key theft with malicious delegate contract deployment. The exploit technique has matured rapidly since Ethereum’s Pectra upgrade launched May 7, with over 97% of EIP-7702 delegations linked to identical wallet-draining contracts designed to automatically sweep funds. Security firm SlowMist warned that victims whose private keys are compromised face complete asset loss through pre-planted malicious delegates. 又遇到一位玩家多个地址的 $WLFI 都被盗事件,看了下盗窃手法,又是 7702 delegate 恶意合约利用,前提也是私钥泄露,黑客在目标钱包地址上提前埋伏好恶意的 7702 delegate 地址,之后将目标地址所有 ETH 及价值 token(比如这里是 $WLFI)转走,一点渣渣都不剩,如果用户转入 ETH 当… https://t.co/YyVvMPwaGM — Cos(余弦) (@evilcos) September 1, 2025 When users transfer ETH for gas or receive tokens like WLFI, the malicious contracts immediately redirect all funds to attacker-controlled addresses, leaving wallets permanently compromised. The vulnerability stems from EIP-7702’s design, which allows EOAs to borrow execution logic from designated smart contracts temporarily. Source: Blockchain Academy Attackers exploit this vulnerability by installing delegate contracts that use the DELEGATECALL function to execute malicious code within the victim’s wallet context, thereby gaining complete control over the storage and funds. Ethereum’s Account Abstraction Dream Becomes Security Nightmare EIP-7702 was designed to enhance Ethereum’s user experience by enabling wallets to execute smart contracts without permanently becoming contract-based addresses. The upgrade aimed to reduce gas fees through bundled transactions and allow settlement using cryptocurrencies other than ETH, supporting Vitalik Buterin’s vision of seamless Web3 adoption . However, the implementation created critical security risks when combined with private key compromise. Hackers pre-install malicious delegate addresses that gain complete wallet control through DELEGATECALL operations, effectively turning victim wallets into attacker-controlled smart contracts while maintaining the original address. Notable incidents include a $1.54 million phishing attack in August, where victims signed disguised batch transactions, and Inferno Drainer’s $146,000 MetaMask wallet drain through malicious delegation authorization. ALERT: An address upgraded to EIP-7702 lost $146,551 through malicious batched transactions in phishing attack. pic.twitter.com/7GbamqOZVI — Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) May 24, 2025 The phishing group netted over $9 million across chains in 2025 by convincing users to authorize attacker-controlled delegate contracts. Earlier in June, Wintermute’s research revealed that automated sweeper contracts account for the vast majority of EIP-7702 delegations, creating a systematic threat to Ethereum users. The market maker developed CrimeEnjoyor, a tool that injects warnings into verified malicious contracts stating they are “used by bad guys to automatically sweep all incoming ETH.” Multiple Attack Vectors Emerge From Flawed Upgrade Implementation Beyond World Liberty Financial token theft, EIP-7702 exploitation has enabled diverse attack methods targeting different vulnerability points. Phishing campaigns impersonate trusted DeFi platforms to trick users into signing dangerous batch transactions and delegate approvals, leading to immediate fund drainage upon authorization. Particularly, off-chain signature attacks pose another significant threat with this vulnerability, as it enables hackers to remotely install malicious code in wallets using signed messages rather than on-chain transactions. This method bypasses traditional security measures and operates stealthily, requiring only a compromised signature to grant total wallet control. Similarly, flash loan and reentrancy exploits leverage EIP-7702 features to bypass on-chain security logic, enabling price manipulation attacks against DeFi protocols. Recent contract attacks caused losses approaching one million dollars in established DeFi projects through compromised delegated authorizations. The technical root cause lies in EIP-7702’s delegation mechanism combined with DELEGATECALL operations that execute in the victim’s wallet context. When private keys are compromised through phishing or other means, attackers can set malicious delegate contracts that automatically steal any incoming value. Crypto market maker @wintermute_t has developed a tool that injects on-chain warnings into malicious wallet-draining contracts to alert users. #Ethereum #ETH https://t.co/5NPLiyy4K8 — Cryptonews.com (@cryptonews) June 2, 2025 Security experts recommend avoiding suspicious delegation requests, verifying all transaction permissions, and canceling compromised delegate contracts when possible. However, the fundamental design that allows EOAs to delegate execution creates an attack surface that criminals continue to exploit as the technique matures. Notably, the upgrade increased validator staking limits from 32 ETH to 2,048 ETH while introducing auto-compounding features designed to attract conservative institutional capital. While the upgrade aimed to improve user experience and reduce costs, the security trade-offs have overshadowed these benefits as users face wallet-draining threats. The security vulnerabilities have created new attack vectors that criminals rapidly weaponized. The post Trump’s Crypto Project WLFI Under Attack as Ethereum Upgrade Backfires – What Went Wrong? appeared first on Cryptonews .
