2025-12-25 04:27:02

Security incident strikes again. Someone exploited a vulnerability in an uninitialized EIP-7702 delegate contract, gaining full ownership rights and draining all funds. The amount? 95 ETH, which was subsequently transferred to Tornado Cash.

The key point of this incident lies here: the attacker exploited an initialization flaw present in the relatively new feature EIP-7702. In simple terms, the contract was not properly initialized, rendering permission verification ineffective. Once the attacker obtained the owner role, withdrawing funds became a matter of minutes.

It is worth noting that the funds were then sent to a mixer. This indicates that the attacker is attempting to cut off the money trail and increase tracking difficulty. For contract developers, this serves as a reminder — even small initialization logic cannot be overlooked, especially in parts involving permission management.

ETH-1.04%

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.

11 Likes

Reward
11
4
Repost
Share

Comment

0/400

SignatureDenied

· 18h ago

It's another case of poor initialization; who doesn't crash these days? EIP-7702 has issues again; developers need to be more careful. 95 ETH sent to Tornado, can't even chase it back. New features come with many pitfalls; thorough auditing is essential. Permission management cannot be taken lightly; the cost is too high.

View OriginalReply0

RektButStillHere

· 18h ago

Here we go again... launching directly without proper initialization, these guys are really practicing coding with user funds --- Is it really just about 95 ETH into Tornado? Tracking this matter still relies on on-chain detectives --- EIP-7702 is truly a Pandora's box, daring to deploy without fully understanding the new features? Seriously --- Permission management can also go wrong, I just want to know who audited this contract --- Another classic example of "initialization logic is minor and can be ignored," the tuition fee is really expensive --- One-stop mixing service, this guy's early work is quite professional... --- Developers should be more cautious, it seems that the pitfalls of EIP-7702 are more numerous than expected

View OriginalReply0

PretendingToReadDocs

· 18h ago

Another initialization vulnerability, these developers really need to be more careful --- 95 ETH was quickly moved into Tornado Cash, leaving so fast --- EIP-7702 was just launched and was immediately exploited? That's really intense --- Permission management is truly a battleground, no room for carelessness --- Before the contract could even warm up, someone exploited it for profit, really embarrassing --- It's always the same pattern: initialize → gain permissions → run away with the funds --- If this happened with 95 ETH in the past, it would have caused a huge public outcry --- I'm telling you, the pitfalls of new features are the deepest, now you regret it, right? --- Really, how careful must one be to prevent these vulnerabilities? --- Tornado Cash has appeared again, how to track it this time?

View OriginalReply0

MoneyBurnerSociety

· 18h ago

Another initialization vulnerability, this guy directly inherited the contract owner's skin. --- The new feature of EIP-7702 was immediately exploited after release; contract developers really should pay attention to this. --- 95 ETH into Tornado, and it's done; now on-chain evidence collection is extremely difficult. --- Is permission verification just a formality? Isn't this just my stable loss strategy in reverse operation? --- Can't even handle initialization properly, and still dare to write DeFi contracts. I advise everyone to conduct self-audits quickly. --- Another story of a new feature and a new vulnerability, EIP-7702 is quite aggressive. --- Once you enter a mixer, you'll never get out; the attacker’s transaction fee is well spent. --- Honestly, anyone can fall into the trap of initialization; I've lost twice just on this part. --- Owner permissions can all be seized; this contract is really imaginative.

View OriginalReply0