EIP-7702: Ethereum's Feature That Drains Wallets

Ethereum's Pectra upgrade gave users batch transactions. It gave attackers a way to drain 15,000+ wallets for $12 million in two months.

EIP-7702 delegation contracts on Etherscan. Red highlights show confirmed sweeper contracts tied to the Inferno Drainer group.

On May 24, someone signed a batch of transactions on a fake Uniswap clone. They thought they were approving a swap. They were actually handing over their wallet.

Within minutes, $146,551 vanished. The victim's Ethereum account - upgraded to use EIP-7702 smart accounts - was empty. The attacker didn't need their private key. They didn't need a seed phrase. They just needed a signature.

This was not an isolated incident. It was the new normal.

EIP-7702 launched as part of Ethereum's Pectra upgrade in early 2025. The feature allowed externally owned accounts - standard wallets like MetaMask - to temporarily function as smart contracts. The selling point was obvious: batch transactions, gas sponsorship, better UX. Users could sign one set of approvals and execute multiple trades. Faster. Cheaper. More flexible.

The problem? So could attackers.

The delegation mechanism worked like this: an EOA could sign a message delegating execution authority to a smart contract for a limited time. Legitimate use cases included batch swaps and gasless transactions. But phishing groups like Inferno Drainer realized they could weaponize it.

Scam Sniffer flagged the first major case on May 24. A wallet upgraded to EIP-7702 lost nearly $150,000. SlowMist founder Yu Xian confirmed the attacker was Inferno Drainer - a known phishing group that had been operating since 2023. The group used a MetaMask EIP-7702 Delegator address to bulk-approve token transfers. One signature. Hundreds of thousands of dollars.

Wintermute's security team started tracking the exploit. Their Dune Analytics dashboard showed horrifying numbers: over 80% of delegate contracts tied to EIP-7702 exhibited malicious behavior. Attackers spent at least 2.88 ETH just authorizing the sweeper contracts. That's upfront cost. They were patient. They were organized.

By August 2025, the damage was clear. Over $12 million stolen from 15,000+ wallets. Three high-net-worth accounts accounted for nearly half the losses. The Inferno Drainer group alone had used multiple delegator addresses: 0x63c0c19a282a1B52b07dD5a65b58948A07DAE32B and 0x930fcc37d6042c79211ee18a02857cb1fd7f0d0b were flagged as active sweeper hubs.

Wintermute reverse-engineered the malicious bytecode and injected on-chain warnings into the contracts. Security firms like GoPlus updated their transaction simulation APIs to detect EIP-7702-based attacks. But the damage was done.

The exploit undermined a core Ethereum security assumption. Contracts relying on tx.origin == msg.sender for access control were now vulnerable. EOAs could temporarily execute smart contract logic, bypassing protections meant to distinguish between user-initiated and contract-initiated transactions. Reentrancy attacks became easier. Flash loan protections failed.

A study by Certik found that 34% of DeFi users now avoid batch transaction features. 22% reduced their DeFi participation due to phishing fears. Institutional adoption stalled. Wintermute and Alameda Research paused EIP-7702 integrations.

Vitalik Buterin suggested a system for Ethereum network nodes to simplify requirements for everyday clients. But the damage to trust was immediate.

EIP-7702 is still live. The contracts are still there. Another batch approval is waiting for someone who doesn't check the bytecode.