Wintermute’s ‘CrimeEnjoyor’ to flag Ethereum’s wallet-draining contracts

Ethereum users will be warned of a new attack capable of draining their wallets, as crypto market maker Wintermute says it has created code that injects a warning into verified malicious contracts.

Wintermute’s code, dubbed “CrimeEnjoyor,” prints a warning within malicious Ethereum contracts that are “designed to auto-sweep funds” from wallets with leaked private keys, it said in a May 30 X post.

The warning reads that the malicious contract “is used by bad guys to automatically sweep all incoming ETH” and prominently warns to “NOT SEND ANY ETH.”

Wintermute’s CrimeEnjoyor contract with a warning statement. Source: Wintermute

The malicious contracts exploit a feature introduced in Ethereum’s Pectra upgrade, called Ethereum Improvement Proposal-7702 (EIP-7702), that allows users to temporarily delegate control of their wallets to smart contracts, the firm said.

Wintermute said that its research team found “over 97% of all EIP-7702 delegations were authorized to multiple contracts using the same exact code.”

“These are sweepers, used to automatically drain incoming ETH from compromised addresses,” it explained.

Wintermute said it to make the CrimeEnjoyor code show up in the malicious contracts, it reversed their Ethereum Virtual Machine bytecode into human-readable Solidity code and publicly verified it.

“This one copy-pasted bytecode now accounts for the majority of all EIP-7702 delegations. It’s funny, bleak, and fascinating at the same time.”

*Distribution of EIP-7702 delegate contracts on Ethereum. CrimeEnjoyor’s share has fallen to 94.7% at the time of writing. Source:* *Wintermute / Dune Analytics*

EIP-7702 is optional, but transparency tools needed

EIP-7702 is an opt-in feature and is not required to perform basic Ethereum operations like native token transfers.

Wintermute said that while EIP-7702 expands Ethereum’s capabilities, a lack of verification makes it more difficult to distinguish legitimate infrastructure from malicious exploitation, particularly for new users.

“With more compromised contracts tagged, more activity can be surfaced and more users can be protected.”

One Ethereum user who tapped EIP-7702 lost $146,550 by signing several malicious batched transactions on May 23, blockchain security firm Scam Sniffer pointed out at the time.

Related: Vitalik wants to make Ethereum ‘as simple as Bitcoin’ in 5 years

A total of 12,329 EIP-7702 transactions have been made since the Pectra upgrade went live on Ethereum at the start of epoch 364032 on May 7.

Pectra also introduced two other significant upgrades.

The first, EIP-725, increased the validator staking limit from 32 Ether (ETH) to 2,048 ETH to make operations easier for large stakers.

Pectra also introduced EIP-7691, which increases the number of data blobs per block with the aim of improving scalability on Ethereum layer 2s and reducing transaction fees.

Magazine: 12 minutes of nail-biting tension when Ethereum’s Pectra fork goes live

Read the full article here