Ethereum’s recent Pectra upgrade, launched on May 7, brings advanced features for smart accounts — but it also introduces a major vulnerability that could let attackers hijack wallets with nothing more than a signed message.
At the center is EIP-7702, which allows users to delegate wallet control via offchain signatures. While meant to simplify smart account functionality, the change means a malicious signature — acquired through phishing or fake apps — can rewrite wallet code and forward control to an attacker’s contract. No transaction confirmation required.
Security experts warn that even hardware wallets are now exposed if users unknowingly approve delegation messages. Because these signatures bypass standard formats and can be replayed across chains, detecting them is difficult.
Adding to the risk, these delegation messages often appear as simple, unsigned hashes — making them harder for wallets to flag or interpret. Without clear warnings from wallet interfaces, users may unknowingly hand over control of their accounts.
Although multisig wallets still offer protection, most individual wallets — including cold storage — need urgent updates to handle the new signature type. Until then, signing an unfamiliar message could mean instant and irreversible loss.
Alexander Stefanov
Reporter at Coindoo
Alex is an experienced finance journalist and a cryptocurrency and blockchain enthusiast. With over 8 years of experience covering the crypto, blockchain and fintech industries, he deeply understands the complex and constantly evolving world of digital assets. His insightful and thought-provoking articles provide readers with a clear picture of the latest developments and trends in the market. His passionate approach allows him to break down complex ideas into accessible and insightful content. Follow up on his content to be up to date with the most important trends and topics.
Source: https://coindoo.com/ethereums-pectra-upgrade-unlocks-powerful-features-and-a-dangerous-flaw/