In a cautionary tale unfolding in the world of cryptocurrency, the market maker Wintermute has shed light on a troubling trend regarding malicious Ethereum contracts known as “CrimeEnjoyors.” These contracts are designed to target wallets with weak security, draining them of their funds under the veil of Ethereum Improvement Proposal (EIP)-7702, which enables standard Ethereum addresses to function as smart contracts.
Launched as part of last month’s Pectra upgrade, EIP-7702 aims to enhance user experience by facilitating tasks like batched transactions and password authentication. However, it has inadvertently opened the door to fraud, with more than 80% of delegations made through this proposal involving reused code from copy-and-paste contracts. According to Wintermute, a staggering 97% of EIP-7702 delegations were authorized to multiple contracts that used identical programming, allowing them to search for weak wallets ripe for theft.
“Our Research team found that over 97% of all EIP-7702 delegations were authorized to multiple contracts using the same exact code. These are sweepers, used to automatically drain incoming ETH from compromised addresses,” Wintermute reported.
One notable incident highlighted the severity of the situation, with a single wallet losing close to $150,000 in Ethereum due to malicious batched transactions stemming from a phishing attack. Even more intriguing, while these CrimeEnjoyor contracts have unleashed a wave of exploits, they have not proven to be financially rewarding for the attackers involved. They reportedly expended around 2.88 ETH to authorize a staggering 79,000 addresses, with one address alone overseeing about half of these authorizations.
Interestingly, an analysis of these contracts shows that the stolen Ether can be traced back through the code. Yet, as of the latest findings, the addresses linked to these thefts have shown little to no incoming ETH transfers, indicating that stolen funds are potentially being held or transferred through intricate networks.
Malicious Ethereum Contracts and Their Impact
Key points regarding the threat of malicious Ethereum contracts and their implications for users are as follows:
- Identification of CrimeEnjoyors
- Malicious contracts targeting weak wallets, known as “CrimeEnjoyors,” have been identified by Wintermute.
- Ethereum Improvement Proposal (EIP)-7702
- EIP-7702 allows regular Ethereum addresses to temporarily function as smart contracts.
- This enables features like batched transactions and password authentication but poses security risks.
- Increased Risk of Fund Drainage
- Over 80% of delegations through EIP-7702 involve unsafe, copy-and-paste contracts.
- These contracts are designed to automatically identify and siphon funds from compromised wallets.
- High Percentage of Reused Code
- Research indicates that 97% of EIP-7702 delegations used identical code across multiple contracts.
- This practice heightens vulnerability and makes detection more complex.
- Financial Impact on Users
- Notable theft cases include a wallet losing nearly $150,000 through a phishing attack.
- Despite the large scale of these attacks, the attackers have not profited significantly from them.
- Address Tracking
- The code can be traced back to reveal theft patterns and analyze affected contracts.
- Some identified addresses show no incoming ETH transfers despite being linked to high-value authorizations.
This situation serves as a critical reminder for users to enhance wallet security and remain vigilant against potential threats in the crypto ecosystem.
Analyzing the Rising Threat of Ethereum’s CrimeEnjoyors Contracts
The emergence of the “CrimeEnjoyors,” a term coined by Wintermute to describe malicious Ethereum contracts, highlights significant vulnerabilities in the crypto landscape. As these contracts exploit the Ethereum Improvement Proposal (EIP)-7702, which was designed to streamline user operations, they inadvertently increase risks for less secure wallets.
While EIP-7702 has brought advancements, such as allowing regular addresses to function as smart contracts, it also presents a double-edged sword for users. The capability to inject regular wallets into complex transactions enhances user convenience; however, the reality is that over 80% of delegations are linked to copy-and-paste contracts that auto-scan for weak spots. This represents a glaring disadvantage, considering the potential for hackers to exploit these permissions, leading to significant financial losses.
For crypto investors and users, especially those with less tech-savvy backgrounds, the situation poses a stark warning. Novices who find smart contract operations appealing may unknowingly put their assets at risk by utilizing compromised or inadequately secured wallets. On the flip side, seasoned traders and developers may benefit from increased scrutiny and awareness of security practices, urging them to adopt more robust measures to protect their holdings.
Undeniably, the fraudulent operations are complex. The attackers seem to have faced low profitability; spending approximately 2.88 ETH for access to 79,000 addresses indicates a fractal approach to their nefarious activities. This peculiar dynamic can confuse newcomers while highlighting a calculated strategy among seasoned hackers, raising questions about the long-term sustainability of such attacks.
Furthermore, the traceability of stolen ether, as noted by Wintermute, indicates that while thefts are rising, the stolen funds often remain stagnant post-theft, hampering the profitability for these criminals. Therefore, this could deter future attackers if the risk outweighs the reward, creating a chilling effect on this criminal behavior.
In summary, while the CrimeEnjoyors contracts illustrate a critical vulnerability within the Ethereum ecosystem, the dialogue they generate about wallet security can ultimately drive positive change. However, they also serve as a cautionary tale for users who may not engage with the blockchain space with adequate knowledge of their digital assets’ security implications.
