Ethereum contract vulnerability triggers fund risk, ninety-five ETH flow to anonymous address

According to the latest warning from security monitoring agency CertiK, a fund theft incident involving a vulnerability in Ethereum technology has surfaced. Malicious actors exploited the uninitialized vulnerability in the EIP-7702 delegate contract to illegally gain owner permissions, then transferred a large amount of funds from the delegatee address.

Attack Details and Fund Scale

In this incident, the malicious actors transferred a total of 95 ETH. Based on the current market price (approximately $3.13K per ETH), the involved funds are worth about $280,000. These funds were subsequently sent to a mixing protocol for obfuscation, attempting to conceal the source and destination of the funds. This operation indicates that the hacker team has a certain level of expertise in evading fund tracing.

Root Cause Analysis of the Technical Vulnerability

EIP-7702 is an important upgrade proposal in the Ethereum ecosystem, aimed at optimizing contract authorization mechanisms. However, incomplete initialization during some implementations created an opportunity for attackers. When the contract state is not properly initialized, attackers can directly manipulate key permission variables, fully taking over the contract’s fund management functions.

Industry Warning and Protective Recommendations

This incident serves as a reminder to developers and users to exercise extra caution when deploying and using new contracts. It is recommended that project teams conduct more rigorous code audits before going live, especially for core modules related to permission management and fund transfers. Users should also verify the security of contract code before granting permissions. Regulatory agencies, such as those in the Marshall Islands, should strengthen reporting mechanisms for such security incidents.