An investor participating in the WLFI private sale reported that their wallet was completely emptied by hackers. The incident was found to be caused by the exploitation of a new upgrade feature, EIP-7702, in Ethereum wallets. Hackers used malicious contracts to quietly authorize token transfers without the user's full permission, highlighting the lack of user awareness regarding cybersecurity and revealing the seriousness of the widespread abuse of EIP-7702.
WLFI investors fell victim to phishing: Wallet emptied overnight
Crypto KOL @FUGUIHK revealed on Twitter that a friend's MetaMask Wallet leaked its private key for unknown reasons. The wallet originally held $WLFI Token from a private sale, but when attempting to transfer ETH as Gas, the funds were immediately transferred to a hacker's address.
Due to the Gas requirement for the official unlocking tool Lockbox contract of WLFI, victims find themselves in a predicament of being unable to transfer out, and any tokens transferred in will be immediately stolen. This situation has sparked widespread discussion in the community, raising concerns about whether WLFI and the Lockbox contract are involved in security vulnerabilities.
( WLFI will soon be open for trading and transfer! Complete explanation of the unlocking mechanism, time points, and operation guide for Trump DeFi coin WLFI )
Experts Reveal the Truth: EIP-7702 Becomes a Breeding Ground for Hackers
The founder of the blockchain security company SlowMist, Yu Xian, pointed out that the core of the problem lies in the EIP-7702 contract. After obtaining the victim's private key, the hacker pre-deployed a malicious contract at that address, causing any transfer operation to trigger the transfer of funds.
He explained: "Now, as long as the victim tries to transfer the remaining tokens, such as WLFI from the Lockbox contract, the Gas used for the transfer will be taken away immediately."
Data shows that over 88% of the EIP-7702 Delegator contracts deployed on the chain are related to crime, which can be said to have become a primary tool used by hackers.
( Hackers exploit the new Ethereum upgrade EIP-7702 to steal over $140,000! MetaMask wallet becomes the new target )
WLFI itself has no vulnerabilities, front-running, or resolution.
Although the incident involves the WLFI token of Trump's DeFi project, it currently appears that this matter is unrelated to the token and the Lockbox contract. It is reported that Lockbox is an audited smart contract responsible for managing the unlocking process of WLFI. Its code has been fully audited by the Web3 security company Cyfrin to ensure that the token unlocking process is transparent, secure, and without backdoors.
(How to claim Trump WLFI coin? A six-step guide to safely claiming on-chain, don't worry about the official website being down)
In other words, the problem lies in the fact that the victim was forced to operate the Lockbox due to holding WLFI, which became the entry point for the hacker to set a trap; neither is the direct cause of the attack.
Yuxian also stated that theoretically, there is still a "front-running" rescue plan: using flashbots to simultaneously inject Gas in a block, replace the malicious EIP-7702, and transfer assets. However, this requires professional skills and team operation.
He suggested that victims could seek assistance from other cybersecurity personnel including @0xAA_Scienceck6 and @BoxMrChen, but emphasized that the fundamental issue remains "private key leakage."
Crisis Alert: How to Prevent EIP-7702 Scam Attacks?
This incident highlights the potential risks of new feature implementations being maliciously exploited. For ordinary users, the biggest warning and precautionary measure is:
Avoid clicking on links or authorizations from unknown websites and DApps to prevent phishing attacks.
Verify the content and address of each transaction authorization.
Stay alert to new mechanisms, features, and products, such as the security risks of EIP-7702.
Use blockchain security enhancement tools like Pocket Universe or ScamSniffer to help determine the safety of transactions.
Ultimately, this is not only a tragedy for the WLFI investor, but also a wake-up call for the entire EVM ecosystem. As new standards and contract functionalities iterate and advance, hackers, scams, and phishing techniques will continue to evolve. Only by enhancing cybersecurity awareness and research concepts can one avoid becoming the next victim.
This article discusses how Ethereum EIP-7702 phishing theft has become a new favorite among hackers: WLFI investors' wallets have been completely emptied, first reported by Chain News ABMedia.
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
Ethereum EIP-7702 phishing theft becomes the new favorite of hackers: WLFI investors' wallets were brutally emptied.
An investor participating in the WLFI private sale reported that their wallet was completely emptied by hackers. The incident was found to be caused by the exploitation of a new upgrade feature, EIP-7702, in Ethereum wallets. Hackers used malicious contracts to quietly authorize token transfers without the user's full permission, highlighting the lack of user awareness regarding cybersecurity and revealing the seriousness of the widespread abuse of EIP-7702.
WLFI investors fell victim to phishing: Wallet emptied overnight
Crypto KOL @FUGUIHK revealed on Twitter that a friend's MetaMask Wallet leaked its private key for unknown reasons. The wallet originally held $WLFI Token from a private sale, but when attempting to transfer ETH as Gas, the funds were immediately transferred to a hacker's address.
Due to the Gas requirement for the official unlocking tool Lockbox contract of WLFI, victims find themselves in a predicament of being unable to transfer out, and any tokens transferred in will be immediately stolen. This situation has sparked widespread discussion in the community, raising concerns about whether WLFI and the Lockbox contract are involved in security vulnerabilities.
( WLFI will soon be open for trading and transfer! Complete explanation of the unlocking mechanism, time points, and operation guide for Trump DeFi coin WLFI )
Experts Reveal the Truth: EIP-7702 Becomes a Breeding Ground for Hackers
The founder of the blockchain security company SlowMist, Yu Xian, pointed out that the core of the problem lies in the EIP-7702 contract. After obtaining the victim's private key, the hacker pre-deployed a malicious contract at that address, causing any transfer operation to trigger the transfer of funds.
He explained: "Now, as long as the victim tries to transfer the remaining tokens, such as WLFI from the Lockbox contract, the Gas used for the transfer will be taken away immediately."
Data shows that over 88% of the EIP-7702 Delegator contracts deployed on the chain are related to crime, which can be said to have become a primary tool used by hackers.
( Hackers exploit the new Ethereum upgrade EIP-7702 to steal over $140,000! MetaMask wallet becomes the new target )
WLFI itself has no vulnerabilities, front-running, or resolution.
Although the incident involves the WLFI token of Trump's DeFi project, it currently appears that this matter is unrelated to the token and the Lockbox contract. It is reported that Lockbox is an audited smart contract responsible for managing the unlocking process of WLFI. Its code has been fully audited by the Web3 security company Cyfrin to ensure that the token unlocking process is transparent, secure, and without backdoors.
(How to claim Trump WLFI coin? A six-step guide to safely claiming on-chain, don't worry about the official website being down)
In other words, the problem lies in the fact that the victim was forced to operate the Lockbox due to holding WLFI, which became the entry point for the hacker to set a trap; neither is the direct cause of the attack.
Yuxian also stated that theoretically, there is still a "front-running" rescue plan: using flashbots to simultaneously inject Gas in a block, replace the malicious EIP-7702, and transfer assets. However, this requires professional skills and team operation.
He suggested that victims could seek assistance from other cybersecurity personnel including @0xAA_Scienceck6 and @BoxMrChen, but emphasized that the fundamental issue remains "private key leakage."
Crisis Alert: How to Prevent EIP-7702 Scam Attacks?
This incident highlights the potential risks of new feature implementations being maliciously exploited. For ordinary users, the biggest warning and precautionary measure is:
Avoid clicking on links or authorizations from unknown websites and DApps to prevent phishing attacks.
Verify the content and address of each transaction authorization.
Stay alert to new mechanisms, features, and products, such as the security risks of EIP-7702.
Use blockchain security enhancement tools like Pocket Universe or ScamSniffer to help determine the safety of transactions.
Ultimately, this is not only a tragedy for the WLFI investor, but also a wake-up call for the entire EVM ecosystem. As new standards and contract functionalities iterate and advance, hackers, scams, and phishing techniques will continue to evolve. Only by enhancing cybersecurity awareness and research concepts can one avoid becoming the next victim.
This article discusses how Ethereum EIP-7702 phishing theft has become a new favorite among hackers: WLFI investors' wallets have been completely emptied, first reported by Chain News ABMedia.