Hackers are systematically exploiting Ethereum’s EIP-7702 upgrade to steal World Liberty Financial tokens from Donald Trump’s crypto project, according to SlowMist security researchers.
The attacks leverage a vulnerability in the May Pectra upgrade that allows externally owned accounts to delegate control to smart contracts, enabling attackers to plant malicious code that instantly drains all incoming ETH and tokens.
According to SlowMist, multiple WLFI token holders have lost their assets after hackers combined private key theft with malicious delegate contract deployment.
The exploit technique has matured rapidly since Ethereum’s Pectra upgrade launched May 7, with over 97% of EIP-7702 delegations linked to identical wallet-draining contracts designed to automatically sweep funds.
Security firm SlowMist warned that victims whose private keys are compromised face complete asset loss through pre-planted malicious delegates.
When users transfer ETH for gas or receive tokens like WLFI, the malicious contracts immediately redirect all funds to attacker-controlled addresses, leaving wallets permanently compromised.
The vulnerability stems from EIP-7702’s design, which allows EOAs to borrow execution logic from designated smart contracts temporarily.
Attackers exploit this vulnerability by installing delegate contracts that use the DELEGATECALL function to execute malicious code within the victim’s wallet context, thereby gaining complete control over the storage and funds.
EIP-7702 was designed to enhance Ethereum’s user experience by enabling wallets to execute smart contracts without permanently becoming contract-based addresses.
The upgrade aimed to reduce gas fees through bundled transactions and allow settlement using cryptocurrencies other than ETH, supporting Vitalik Buterin’s vision of seamless Web3 adoption.
However, the implementation created critical security risks when combined with private key compromise.
Hackers pre-install malicious delegate addresses that gain complete wallet control through DELEGATECALL operations, effectively turning victim wallets into attacker-controlled smart contracts while maintaining the original address.
Notable incidents include a $1.54 million phishing attack in August, where victims signed disguised batch transactions, and Inferno Drainer’s $146,000 MetaMask wallet drain through malicious delegation authorization.
The phishing group netted over $9 million across chains in 2025 by convincing users to authorize attacker-controlled delegate contracts.
Earlier in June, Wintermute’s research revealed that automated sweeper contracts account for the vast majority of EIP-7702 delegations, creating a systematic threat to Ethereum users.
The market maker developed CrimeEnjoyor, a tool that injects warnings into verified malicious contracts stating they are “used by bad guys to automatically sweep all incoming ETH.”
Beyond World Liberty Financial token theft, EIP-7702 exploitation has enabled diverse attack methods targeting different vulnerability points.
Phishing campaigns impersonate trusted DeFi platforms to trick users into signing dangerous batch transactions and delegate approvals, leading to immediate fund drainage upon authorization.
Particularly, off-chain signature attacks pose another significant threat with this vulnerability, as it enables hackers to remotely install malicious code in wallets using signed messages rather than on-chain transactions.
This method bypasses traditional security measures and operates stealthily, requiring only a compromised signature to grant total wallet control.
Similarly, flash loan and reentrancy exploits leverage EIP-7702 features to bypass on-chain security logic, enabling price manipulation attacks against DeFi protocols.
Recent contract attacks caused losses approaching one million dollars in established DeFi projects through compromised delegated authorizations.
The technical root cause lies in EIP-7702’s delegation mechanism combined with DELEGATECALL operations that execute in the victim’s wallet context.
When private keys are compromised through phishing or other means, attackers can set malicious delegate contracts that automatically steal any incoming value.
Security experts recommend avoiding suspicious delegation requests, verifying all transaction permissions, and canceling compromised delegate contracts when possible.
However, the fundamental design that allows EOAs to delegate execution creates an attack surface that criminals continue to exploit as the technique matures.
Notably, the upgrade increased validator staking limits from 32 ETH to 2,048 ETH while introducing auto-compounding features designed to attract conservative institutional capital.
While the upgrade aimed to improve user experience and reduce costs, the security trade-offs have overshadowed these benefits as users face wallet-draining threats. The security vulnerabilities have created new attack vectors that criminals rapidly weaponized.
