BusinessDrinksEntertainmentFashion

Post Pectra ‘Malicious’ Ethereum Contracts Are Trying to Drain Wallets, But to No Avail: Wintermute

Wintermute, a prominent crypto market maker, has shed light on a concerning trend involving malicious Ethereum contracts exploiting a vulnerability introduced by EIP-7702, part of the recent Pectra upgrade. These contracts, dubbed “CrimeEnjoyors,” are designed to drain wallets with weak security, leveraging the EIP’s ability to allow regular Ethereum addresses to function temporarily as smart contracts.

EIP-7702 simplifies user experience by enabling batched transactions, password authentication, and spending limits through delegated contract control. However, this delegation opens the door for malicious actors. Wintermute’s research reveals that over 97% of EIP-7702 delegations utilize identical, copy-pasted contracts—effectively automated sweepers scanning for vulnerable wallets. The simplicity and widespread reuse of the CrimeEnjoyor contract is a key factor in its success.

While instances of significant losses have occurred—including a reported $150,000 theft detailed by Scam Sniffer—a surprising aspect is the attackers’ lack of significant profit. Despite authorizing approximately 79,000 addresses, costing roughly 2.88 ETH, the actual ETH transfer to the intended recipient addresses hasn’t materialized. A single address, 0x89383882fc2d0cd4d7952a3267a3b6dae967e704, handled over half of these authorizations.

Wintermute’s researchers highlight the traceability of stolen ETH. By analyzing the CrimeEnjoyor contract code, the destination address—for example, 0x6f6Bd3907428ae93BC58Aca9Ec25AE3a80110428—can be identified. However, this address currently shows no inbound ETH transfers, a pattern consistent across multiple CrimeEnjoyor instances. This suggests either a flaw in the attackers’ strategy or a more complex scheme beyond simple theft. The situation underscores the risks associated with newly implemented features and the importance of robust wallet security practices. The lack of immediate profit for the attackers remains an intriguing anomaly requiring further investigation.

Leave a Reply

Your email address will not be published. Required fields are marked *