What Changed with Pectra?
On May 7, Ethereum activated the Pectra upgrade at epoch 364032. While it brings scalability improvements and enhanced smart account functionality, a new attack vector was quietly born—courtesy of EIP-7702. EIP-7702 introduces transaction type 0x04 (SetCode), which lets users delegate wallet control to a smart contract by signing an offchain message, not a traditional onchain transaction.
That’s the danger: signing alone is now enough to give away wallet control.
How the Attack Works
A scammer tricks you into signing a message (via phishing site, fake DApp, Discord scam, etc.). That signature sets your wallet’s code to point to their malicious contract. The attacker then executes transactions from your wallet—without you signing another thing. Your funds are gone. Instantly.
This turns even regular Ethereum wallets (EOAs) into programmable contracts under someone else’s control.
Hardware Wallets Are No Longer Immune
Traditionally, hardware wallets were considered safe. But under Pectra, signing a malicious message on a cold wallet has the same catastrophic effect as a hot wallet.
Wallets and platforms that don’t recognize transaction type 0x04 or fail to properly flag delegation messages are most vulnerable.
How to Protect Yourself
- Never sign a message you don’t fully understand.
- Watch for suspicious delegation requests — especially those including your wallet nonce.
- If your wallet doesn’t warn you about SetCode messages, switch to one that does.
- Multisig wallets offer added protection and are currently safer under Pectra.
- Developers should update wallet UIs to display clear warnings for these signature types.
Also note: EIP-7702 allows chain-agnostic signatures (with chain_id = 0), so a signed message could be replayed on any Ethereum-compatible chain.
