One Click, Massive Loss: The EIP‑7702 Phishing Heist Explained

Introduction

A phishing attack exploiting Ethereum’s recent EIP‑7702 upgrade drained nearly $1 million in tokens from a single investor after they signed a deceptive batch transaction that appeared to be a Uniswap swap. Security researchers and platforms such as Scam Sniffer and SlowMist flagged the incident and described how a single signature allowed malicious contracts to execute multiple transfers and siphon assets before anyone could react (CryptoSlate, BitcoinEthereumNews).

EIP‑7702 (part of the Pectra upgrade) was designed to give external accounts temporary “smart‑contract” capabilities—batching transactions, gas sponsorship and spending limits—to improve user experience. Attackers have adapted the delegation mechanism to hide multi‑token drains inside apparently normal DEX router calls; analysts (and market makers like Wintermute) report a large share of early delegations are linked to malicious contracts, which makes these types of approvals particularly risky (ChainPlay, Scam Sniffer).

The episode underscores two practical takeaways: first, new protocol features can expand the attack surface and require users and wallet providers to adapt quickly; second, users should treat any signature or “upgrade” prompt with caution—verify domains, inspect the requested permissions, regularly audit and revoke stale approvals, and keep large holdings in custody systems or cold storage. Wallet providers like MetaMask have added warnings and guidance, and security firms continue to recommend on‑chain monitoring and improved UX that makes dangerous approvals clearer to end users.