Ethereum’s Latest Upgrade Exposes Critical Security Gaps—Just as TradFi Starts Paying Attention

Ethereum’s much-hyped network upgrade just ripped open a security flaw that’ll have crypto maximalists sweating—and Wall Street ’blockchain consultants’ updating their LinkedIn bios.

The vulnerability surfaced during stress-testing of the new protocol layer, revealing attack vectors that could let bad actors bypass node validation. Core devs are scrambling patches, but the damage to ETH’s ’ultra-secure’ narrative? Already done.

Meanwhile in traditional finance: hedge funds who spent Q1 pitching ’institutional-grade blockchain infrastructure’ are suddenly very interested in ’alternative Layer 1 solutions’ (read: shopping for discounts).

However, it created a risky new attack vector that might enable hackers to take money from user wallets with just an on-chain signature.

Solidity smart contract auditor Arda Usman confirmed the security vulnerability to Cointelegraph.

Attackers can take control of externally owned accounts (EOAs) by taking advantage of a new transaction type in the Pectra upgrade, which went live on May 7 at epoch 364032, without the users signing on-chain transactions. It becomes possible for an attacker to drain an EOA’s funds using only an off-chain signed message (no direct on-chain transaction signed by the user).

EIP-7702 is a critical component of the Pectra upgrade and is at the center of the potential threat. By signing a message, users can grant control of their wallet to another contract through the SetCode transaction (type 0x04), which is outlined in the ethereum Improvement Proposal.

If an attacker obtains this signature, perhaps through a phishing website, they can replace the wallet’s code with a small proxy that redirects calls to their malicious contract. In contrast, with Pectra, wallets cannot be altered without a transaction signed by the user.

These days, code that gives an attacker total control over a contract can be installed with a straightforward off-chain signature.