Trump’s Crypto Project WLFI Under Attack as Ethereum Upgrade Backfires – What Went Wrong?
Hackers are systematically exploiting Ethereum’s EIP-7702 upgrade to steal World Liberty Financial tokens from Donald Trump’s crypto project, in accordance with SlowMist safety researchers.
The assaults leverage a vulnerability within the May Pectra improve that enables externally owned accounts to delegate management to sensible contracts, enabling attackers to plant malicious code that immediately drains all incoming ETH and tokens.
World Liberty Financial Becomes Latest Victim of Ethereum Exploit
According to SlowMist, a number of WLFI token holders have misplaced their belongings after hackers mixed non-public key theft with malicious delegate contract deployment.
The exploit approach has matured quickly since Ethereum’s Pectra upgrade launched May 7, with over 97% of EIP-7702 delegations linked to an identical wallet-draining contracts designed to routinely sweep funds.
Security agency SlowMist warned that victims whose non-public keys are compromised face full asset loss by pre-planted malicious delegates.
又遇到一位玩家多个地址的 $WLFI 都被盗事件,看了下盗窃手法,又是 7702 delegate 恶意合约利用,前提也是私钥泄露,黑客在目标钱包地址上提前埋伏好恶意的 7702 delegate 地址,之后将目标地址所有 ETH 及价值 token(比如这里是 $WLFI)转走,一点渣渣都不剩,如果用户转入 ETH 当… https://t.co/YyVvMPwaGM
— Cos(余弦)
(@evilcos) September 1, 2025
When customers switch ETH for fuel or obtain tokens like WLFI, the malicious contracts instantly redirect all funds to attacker-controlled addresses, leaving wallets completely compromised.
The vulnerability stems from EIP-7702’s design, which permits EOAs to borrow execution logic from designated sensible contracts quickly.
Attackers exploit this vulnerability by putting in delegate contracts that use the DELEGATECALL perform to execute malicious code throughout the sufferer’s pockets context, thereby gaining full management over the storage and funds.
Ethereum’s Account Abstraction Dream Becomes Security Nightmare
EIP-7702 was designed to reinforce Ethereum’s consumer expertise by enabling wallets to execute sensible contracts with out completely turning into contract-based addresses.
The improve aimed to scale back fuel charges by bundled transactions and permit settlement utilizing cryptocurrencies apart from ETH, supporting Vitalik Buterin’s vision of seamless Web3 adoption.
However, the implementation created vital safety dangers when mixed with non-public key compromise.
Hackers pre-install malicious delegate addresses that achieve full pockets management by DELEGATECALL operations, successfully turning sufferer wallets into attacker-controlled sensible contracts whereas sustaining the unique handle.
Notable incidents embody a $1.54 million phishing attack in August, the place victims signed disguised batch transactions, and Inferno Drainer’s $146,000 MetaMask wallet drain by malicious delegation authorization.
ALERT: An handle upgraded to EIP-7702 misplaced $146,551 by malicious batched transactions in phishing assault. pic.twitter.com/7GbamqOZVI
— Scam Sniffer | Web3 Anti-Scam (@actualScamSniffer) May 24, 2025
The phishing group netted over $9 million throughout chains in 2025 by convincing customers to authorize attacker-controlled delegate contracts.
Earlier in June, Wintermute’s analysis revealed that automated sweeper contracts account for the overwhelming majority of EIP-7702 delegations, creating a scientific menace to Ethereum customers.
The market maker developed CrimeEnjoyor, a software that injects warnings into verified malicious contracts stating they’re “utilized by dangerous guys to routinely sweep all incoming ETH.”
Multiple Attack Vectors Emerge From Flawed Upgrade Implementation
Beyond World Liberty Financial token theft, EIP-7702 exploitation has enabled numerous assault strategies focusing on completely different vulnerability factors.
Phishing campaigns impersonate trusted DeFi platforms to trick customers into signing harmful batch transactions and delegate approvals, resulting in quick fund drainage upon authorization.
Particularly, off-chain signature attacks pose one other vital menace with this vulnerability, as it allows hackers to remotely set up malicious code in wallets utilizing signed messages somewhat than on-chain transactions.
This technique bypasses conventional safety measures and operates stealthily, requiring solely a compromised signature to grant whole pockets management.
Similarly, flash loan and reentrancy exploits leverage EIP-7702 options to bypass on-chain safety logic, enabling worth manipulation assaults towards DeFi protocols.
Recent contract assaults prompted losses approaching a million {dollars} in established DeFi initiatives by compromised delegated authorizations.
The technical root trigger lies in EIP-7702’s delegation mechanism mixed with DELEGATECALL operations that execute within the sufferer’s pockets context.
When non-public keys are compromised by phishing or different means, attackers can set malicious delegate contracts that routinely steal any incoming worth.
Crypto market maker @wintermute_t has developed a software that injects on-chain warnings into malicious wallet-draining contracts to alert customers.#Ethereum #ETHhttps://t.co/5NPLiyy4K8
— Cryptonews.com (@cryptonews) June 2, 2025
Security consultants advocate avoiding suspicious delegation requests, verifying all transaction permissions, and canceling compromised delegate contracts when attainable.
However, the basic design that enables EOAs to delegate execution creates an assault floor that criminals proceed to take advantage of as the approach matures.
Notably, the improve elevated validator staking limits from 32 ETH to 2,048 ETH whereas introducing auto-compounding options designed to draw conservative institutional capital.
While the improve aimed to enhance consumer expertise and scale back prices, the safety trade-offs have overshadowed these advantages as customers face wallet-draining threats. The safety vulnerabilities have created new assault vectors that criminals quickly weaponized.
The publish Trump’s Crypto Project WLFI Under Attack as Ethereum Upgrade Backfires – What Went Wrong? appeared first on Cryptonews.
