Ethereum’s latest network upgrade, Pectra, has introduced powerful new features aimed at enhancing scalability and smart account functionality. However, it has also unveiled a vulnerability that could potentially allow hackers to drain funds from user wallets using only an offchain signature. The upgrade, which went live on May 7 at epoch 364032, enables attackers to exploit a new transaction type to take control of externally owned accounts (EOAs) without the need for the user to sign an onchain transaction. Arda Usman, a Solidity smart contract auditor, confirmed that this vulnerability allows attackers to drain an EOA’s funds using only an offchain signed message. The core component of this risk is EIP-7702, which introduces the SetCode transaction, enabling users to delegate control of their wallet to another contract through a signed message. This attack vector can be executed through common offchain interactions like phishing emails, fake DApps, or Discord scams. Yehor Rudytsia, an onchain researcher at Hacken, highlighted that this new transaction type essentially turns user wallets into programmable smart contracts, allowing arbitrary code to be installed on the account with a simple offchain signature. It is crucial for wallet developers to provide clear warnings when users are asked to sign a delegation message, as the new delegation signatures introduced by EIP-7702 may bypass normal wallet warnings. Additionally, hardware wallets are no longer inherently safer, as they are susceptible to signing malicious messages, making them equally vulnerable as hot wallets. Multisignature wallets remain more secure under this upgrade, but single-key wallets must adopt new tools to prevent potential exploitation. In addition to EIP-7702, Pectra also included EIP-7251 and EIP-7691, enhancing Ethereum’s validator staking limit and layer-2 scalability. Users are advised to exercise caution, verify the messages they sign, and stay informed about the potential risks associated with the Pectra upgrade.