QNT Reserve Pool Exploited for 1,988.5 QNT Through EIP-7702 Design Flaw

SlowMist detected a malicious transaction showing that delegated code and an unchecked batch execution path in a vulnerable EIP-7702 account enabled attackers to drain QNT from a reserve pool.

ETH

QNT

32d ago

Summary

A QNT reserve pool was exploited for 1,988.5 QNT, valued at about 54.93 ETH, after attackers abused what SlowMist described as a vulnerable EIP-7702 account structure. According to SlowMist, an EOA admin delegated code to BatchExecutor, which then authorized a permissionless BatchCall contract with no access checks. Attackers used the unchecked execution path to drain tokens from the reserve pool. The incident highlights how delegation-based account setups and missing authorization controls in batch execution logic can enable unauthorized fund transfers.

Terms & Concepts

EIP-7702: An Ethereum account delegation standard that can let an account temporarily use assigned code, creating added flexibility but also new security risks if permissions are poorly designed.
BatchCall: A contract function or tool that groups multiple actions into one transaction. If access controls or input checks are missing, it can be abused to execute unauthorized operations.
EOA: An externally owned account on Ethereum that is controlled by a private key rather than by smart contract code.