Introduction to Pectra Upgrade
A recent upgrade to the Ethereum network, known as Pectra, launched on May 7, 2025, and has introduced features designed to enhance the scalability and functionality of smart accounts. However, these improvements come with significant new security risks.
New Vulnerabilities Introduced
Specifically, Pectra may inadvertently enable hackers to empty user wallets just by using an offchain signature, without needing any onchain transaction approval from the wallet owner. This vulnerability arises from a core aspect of the Pectra upgrade, dubbed EIP-7702, which presents a new transaction type called SetCode (transaction type 0x04).
This feature allows users to assign their wallet’s control to another smart contract simply by signing a message. Security experts have raised alarms that if a malicious actor can obtain this message through methods such as phishing, they can insert proxy code into the user’s wallet that reroutes transaction instructions to the hacker’s contract.
Expert Insights on Risks
Arda Usman, a Solidity smart contract auditor, pointed out that the new functionality allows attackers to transfer funds away from an externally owned account (EOA) without needing the victim’s direct consent through traditional onchain transactions. What’s particularly alarming is that while users traditionally had to explicitly authorize movements of funds through transactions, the Pectra upgrade allows for a more insidious method of control through mere offchain signatures.
The risk is exacerbated by Yehor Rudytsia, an onchain researcher at Hacken, who highlighted that this new transaction type essentially transforms user wallets into programmable smart contracts.
“Before Pectra, modifications to wallets required a transaction signed by the user, but now, any complete access can be granted via a simple offchain signature,”
Rudytsia explained. This change creates a scenario where hackers can execute harmful operations merely by receiving a delegation signature.
Implications for Wallet Security
The launch of Pectra marks an immediate concern as any valid delegation signature is now actionable, illustrating the pressing need for users and wallet providers to adapt quickly. Wallets that don’t properly monitor or represent these emerging transaction types may find themselves particularly exposed to this new mode of attack. Rudytsia cautioned that any wallets failing to analyze Ethereum’s diverse transaction types, especially 0x04, could potentially endanger their users.
Although hardware wallets were previously seen as a secure way to store assets, they now face comparable risks as hot wallets when it comes to unauthorized message signing. Rudytsia noted that signing unfamiliar messages can lead to immediate loss of funds. Users must be judicious and should avoid signing any messages without understanding their implications, especially those involving new formats introduced by EIP-7702 that differ from current standards like EIP-191 and EIP-712.
Considerations for Wallet Systems
Given the potential for replay attacks on Ethereum-compatible chains, Usman also expressed concern over messages incorporating account nonces and their implications for direct account impacts. While multisignature wallets retain a greater level of security due to their requirement for multiple signers, it is essential for all wallet systems, including hardware ones, to implement robust signature analysis and alert mechanisms to counteract these vulnerabilities.
Other Enhancements in Pectra
The Pectra upgrade also included other enhancements such as EIP-7251, which allows a drastic increase in validator staking limits from 32 to 2,048 ETH, and EIP-7691, which boosts the number of data blobs per block to improve scalability for layer-2 solutions in Ethereum’s ecosystem.
