Attacker Exploits Uninitialized EIP-7702 Contract to Steal 95 ETH

CertiK alerts on $3.9M in ETH sent to Tornado Cash linked to suspicious token withdrawals, expanding the scope of recent Ethereum wallet exploit activity.

ETH

77d ago

Summary

CertiK has reported that an address associated with prior suspicious activity deposited 1,337.1 ETH, valued at approximately $3.9 million, into Tornado Cash. The funds originated from questionable withdrawals of Wrapped ETH and Story tokens from a potentially hacked multisig wallet. This adds to earlier incidents, including the theft of 95 ETH through exploitation of an uninitialized EIP-7702 delegation contract, with both cases involving use of Tornado Cash to obscure fund movement.

Terms & Concepts

EIP-7702: An Ethereum Improvement Proposal defining delegation contract behavior for managing permissions and interactions on the Ethereum blockchain.
Tornado Cash: A decentralized Ethereum mixer enabling privacy by obscuring transaction origins and destinations.
Delegation Contract: A smart contract (self-executing blockchain code) that allows one party to perform actions or control resources on behalf of another.