Careful when signing messages in Ethereum Pectra
The Ethereum blockchain forked today for its Pectra code change and introduced a suite of new features, upgrades, and vulnerabilities.
However, within an hour of the changeover, concerned users were warning about a new threat vector: message signing.
“Be careful what you sign… It is enough to drain all tokens,” posted one user to Telegram. Another Ethereum user echoed the warning, saying, “You only have to sign a message to get completely drained!”
Many other warnings flagged similar risks.
Ethereum’s Pectra upgrade included Ethereum Improvement Proposal (EIP) 3074, which has introduced new AUTH and AUTHCALL Ethereum operation codes. These opcodes allow the holder of an Ethereum private key to delegate authorization to a smart contract.
Developers called it an important step in achieving account abstraction. However, critics say it has introduced new phishing attacks that allow theft of all assets in a user’s wallet once they delegate control of their keys.
Careful signing Ethereum transactions and messages
EIP-3074’s co-authors tried to calm fears with a post published on Binance claiming to be “unaware” of any wallet that allowed signing of improperly prefixed messages without a user warning.
Transactions use the prefix 0x04, and the authors of the EIP hope that all major Ethereum wallets will flag 0x04 messages with prominent warnings to inform the user about their expansive power to authorize multiple withdrawals, including possible theft.
“The caller field in the EIP-3074 signature is very important,” they wrote solemnly. “A bad caller could steal your funds.”
Read more: Seneca Protocol hack highlights dangers of Ethereum’s token approval mechanism
Today’s Pectra fork also added EIP-7702, raising the stakes even higher. With the power of EIP-7702, a single malicious signature can temporarily delegate someone’s entire account to a third-party smart contract.
If that contract is malicious, it could potentially drain all assets (ETH, tokens, NFTs) in one go.
As opposed to pre-Pectra Ethereum transactions, the possible attack surface for victims is broader with EIP-7702 because externally owned accounts (EOAs) are now exposed to third-party temporary smart contract vulnerabilities.
This temporary delegation of executable code was not a concern before Pectra.
Although warnings are proliferating across social media, there are no reports yet of a successful theft of funds using the new Pectra-enabled attack vector.
Most wallet providers like MetaMask were prepared for Pectra and added prominent warnings for EIP-3074 message signings.
Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.