📢 Gate广场 #MBG任务挑战# 发帖赢大奖活动火热开启!
想要瓜分1,000枚MBG?现在就来参与,展示你的洞察与实操,成为MBG推广达人!
💰️ 本期将评选出20位优质发帖用户,每人可轻松获得50枚MBG!
如何参与:
1️⃣ 调研MBG项目
对MBG的基本面、社区治理、发展目标、代币经济模型等方面进行研究,分享你对项目的深度研究。
2️⃣ 参与并分享真实体验
参与MBG相关活动(包括CandyDrop、Launchpool或现货交易),并晒出你的参与截图、收益图或实用教程。可以是收益展示、简明易懂的新手攻略、小窍门,也可以是现货行情点位分析,内容详实优先。
3️⃣ 鼓励带新互动
如果你的帖子吸引到他人参与活动,或者有好友评论“已参与/已交易”,将大幅提升你的获奖概率!
MBG热门活动(帖文需附下列活动链接):
Gate第287期Launchpool:MBG — 质押ETH、MBG即可免费瓜分112,500 MBG,每小时领取奖励!参与攻略见公告:https://www.gate.com/announcements/article/46230
Gate CandyDrop第55期:CandyDrop x MBG — 通过首次交易、交易MBG、邀请好友注册交易即可分187,500 MBG!参与攻略见公告:https://www.gate.com/announcements
Pectra lets hackers drain wallets with just an offchain signature
Ethereum’s latest network upgrade, Pectra, introduced powerful new features aimed at improving scalability and smart account functionality — but it also opened a dangerous new attack vector that could allow hackers to drain funds from user wallets using only an offchain signature.
Under the Pectra upgrade, which went live on May 7 at epoch 364032, attackers can exploit a new transaction type to take control of externally owned accounts (EOAs) without requiring the user to sign an onchain transaction.
Arda Usman, a Solidity smart contract auditor, confirmed to Cointelegraph that “it becomes possible for an attacker to drain an EOA’s funds using only an offchain signed message (no direct onchain transaction signed by the user).”
At the center of the risk is EIP-7702, a core component of the Pectra upgrade. The Ethereum Improvement Proposal introduces the SetCode transaction (type 0x04), which enables users to delegate control of their wallet to another contract simply by signing a message.
If an attacker obtains this signature — say, via a phishing site — they can overwrite the wallet’s code with a small proxy that forwards calls to their malicious contract.
“Once the code is set,” Usman explained, “the attacker can invoke that code to transfer out the account’s ETH or tokens—all without the user ever signing a normal transfer transaction.”
Wallets can be altered with offchain signature
Yehor Rudytsia, onchain researcher at Hacken, noted that this new transaction type introduced by Pectra allows arbitrary code to be installed on the user’s account, essentially turning their wallet into a programmable smart contract.
“This tx type allows the user to set arbitrary code (smart contract) to be able to execute operations on the user’s behalf,” Rudytsia said.
Before Pectra, wallets could not be modified without a transaction signed directly by the user. Now, a simple offchain signature can install code that delegates complete control to an attacker’s contract.
“Pre-Pectra, users needed to send transaction (not sign message) to allow their funds to be moved… Post-Pectra, any operation may be executed from the contract which user approved via SET_CODE,” Rudytsia explained.
The threat is real and immediate. “Pectra activated May 7, 2025. From that moment, any valid delegation signature is actionable,” Usman warned. He added that smart contracts relying on outdated assumptions, such as using tx.origin or basic EOA-only checks, are particularly vulnerable.
Wallets and interfaces that fail to detect or properly represent these new transaction types are most at risk. Rudytsia warned that “wallets are vulnerable if they do not analyze Ethereum’s transaction types,” especially transaction type 0x04.
He emphasized that wallet engines must clearly display delegation requests and flag any suspicious addresses.
This new form of attack can be easily executed through common offchain interactions like phishing emails, fake DApps, or Discord scams.
“We believe it will be the most popular attack vector regarding these breaking changes introduced by Pectra,” Rudytsia said. “From now on, users have to carefully validate what they are going to sign.”
Hardware wallets are not safer anymore
Hardware wallets are no longer inherently safer, Rudytsia said. He added that hardware wallets from now on are at the same risk as hot wallets from the perspective of signing malicious messages. “If done—all the funds are gone in a moment.”
There are ways to stay safe, but they require awareness. “Users should not sign the messages they do not understand,” Rudytsia advised. He also urged wallet developers to provide clear warnings when users are asked to sign a delegation message.
Special caution should be taken with new delegation signature formats introduced by EIP-7702, which are not compatible with existing EIP-191 or EIP-712 standards. These messages often appear as simple 32-byte hashes and may bypass normal wallet warnings.
“If a message includes your account nonce, it’s probably affecting your account directly,” Usman warned. “Normal sign-in messages or offchain commitments don’t usually involve your nonce.”
Adding to the risk, EIP-7702 allows for signatures with chain_id = 0, meaning the signed message can be replayed on any Ethereum-compatible chain. “Understand it can be used anywhere,” Usman said.
While multisignature wallets remain more secure under this upgrade, thanks to their requirement for multiple signers, single-key wallets — hardware or otherwise — must adopt new signature parsing and red-flagging tools to prevent potential exploitation.
Alongside EIP-7702, Pectra also included EIP-7251, which raised Ethereum’s validator staking limit from 32 to 2,048 ETH, and EIP-7691, which increases the number of data blobs per block for better layer-2 scalability.
Magazine: Bitcoin eyes ‘crazy numbers,’ JD Vance set for Bitcoin talk: Hodler’s Digest, May 4 – 10