- Wintermute injects clear warnings (“NOT SEND ANY ETH”) directly into malicious Ethereum contracts designed to auto-drain compromised wallets.
- Wintermute reversed malicious bytecode into readable Solidity and verified it publicly, forcing their warning message to appear visibly.
Ethereum users face a new threat targeting their crypto wallets. Market maker Wintermute announced it has developed code to warn users directly within dangerous smart contracts designed to steal funds. This action follows the discovery of a widespread attack method exploiting a recent Ethereum upgrade.
Wintermute calls its code “CrimeEnjoyor”. It functions by inserting a clear, visible warning message directly into the bytecode of malicious contracts. These specific contracts automatically seize all Ether (ETH) sent to wallets where the private keys have been exposed. The injected warning states: “This contract is used by bad guys to automatically sweep all incoming ETH.” It adds a direct instruction: “NOT SEND ANY ETH.”
The attack takes advantage of Ethereum Improvement Proposal 7702 (EIP-7702). EIP-7702, part of the recent Pectra upgrade, permits users to grant temporary control of their wallets to smart contracts. Wintermute’s research revealed a concerning pattern: over 97% of all authorizations using EIP-7702 were directed towards multiple contracts running identical code. Wintermute identified these contracts as automated sweepers, built solely to drain ETH from vulnerable addresses.
To make the warnings appear, Wintermute’s team performed a technical process. They converted the malicious contracts’ low-level Ethereum Virtual Machine (EVM) bytecode back into human-readable Solidity code. They then verified this code publicly on blockchain explorers, enabling the “CrimeEnjoyor” warning message to display.
It is important to note that EIP-7702 remains an optional feature. Basic operations like sending ETH do not require its use. However, Wintermute pointed out a challenge: the lack of verification for these delegated contracts makes it hard for users, especially newcomers, to tell safe infrastructure apart from harmful exploits. “With more compromised contracts tagged,” Wintermute stated, “more activity can be surfaced and more users can be protected.“
The real-world impact is already visible. Blockchain security firm Scam Sniffer reported a user loss of $146,550 on May 23rd. The user signed several malicious transactions grouped together, exploiting the EIP-7702 delegation vulnerability.
Since the Pectra upgrade activated on Ethereum on May 7th (starting at epoch 364032), a total of 12,329 transactions have utilized EIP-7702.
The Pectra upgrade also included two other changes:
- EIP-725:This increases the maximum amount of Ether a single validator can stake from 32 ETH to 2,048 ETH. The goal is to simplify operations for larger staking entities.
- EIP-7691: This raises the number of data “blobs” processed in each Ethereum block. The intended effect is improved capacity for Ethereum layer 2 networks and potentially lower transaction fees for users.
Ethereum (ETH) is trading at $2,518.60 USD, reflecting a daily drop of −0.81%. Despite this modest decline, ETH has posted a strong +36.72% gain over the past month, signaling renewed investor confidence following a period of weakness earlier in the year. However, year-to-date, ETH is still down −24.38%, and over the past six months, it’s fallen −30.39%, indicating that it is still in the process of recovering from a prolonged downtrend.
Recent headlines around Ethereum’s EIP-7702 upgrade—exploited in some cases by malicious contracts—have raised concerns over smart contract security, but they haven’t significantly impacted ETH’s overall price structure. If bulls regain momentum and the $2,700 level is breached, analysts point toward $3,000 as the next major psychological and technical target.
