The recent Ethereum Pectra upgrade—which introduced smart wallets, validator limit increase and multiple other upgrades to the network— has inadvertently exposed user wallets to a severe “auto-drain” risk. The research, carried out by the Wintemute team, discloses that 97% of these upgrade delegations are tied to malicious “sweeper” contracts.
The upgrade, which went live on 7 May, introduced EIP-7702, an improvement proposal allowing Externally Owned Accounts (EOAs) to temporarily act as smart contracts. However, this innovation has been filled with malicious copy-pasted code and it has put a significant amount of Ethereum users at risk.
In a latest X post, the Wintermute team revealed that 97% of EIP-7702 wallet delegations are tied to malicious “sweeper” contracts, designed to automatically drain ETH from compromised addresses. These contracts, dubbed “CrimeEnjoyor” by Wintermute, target wallets with leaked private keys, siphoning funds without user intervention.
Wintermute’s Dune dashboard highlights over 79,000 addresses linked to these sweepers, with attackers spending 2.88 ETH to authorize them.
To find exact details, the research firm reversed the malicious bytecode into Solidity, verifying it as CrimeEnjoyor to expose its intent and warn users. Despite the large scale of the operation, no such exploits have been confirmed yet.
The Pectra upgrade aimed to streamline transactions through features like transaction batching and gas sponsorship. It was considered beneficial for early adopters like Uniswap and JumperExchange, which account for 95% of EIP-7702 flows on Ethereum. However, the lack of transparency in unverified contracts has enabled exploitation.
This finding has sparked concern in the crypto community, with experts urging users to exercise caution. As Ethereum evolves, the need for robust verification and transparency tools has never been more critical to protect users from such auto-drain threats.
Also read: Institutional Investors Shift to Ethereum From Bitcoin & XRP: Data
